From patchwork Sun Apr  8 01:29:44 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 8353
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.1.70 with SMTP id c67csp1042832jad;
	Sat, 7 Apr 2018 18:30:49 -0700 (PDT)
X-Google-Smtp-Source: 
 AIpwx493DY+YPCwtumH84MhRqCRIHObuQqBVv9FVOPqHg5u3dQP4HAmnXSo6InxVaYpM01o2ji8w
X-Received: by 10.223.196.141 with SMTP id
	m13mr22206025wrf.173.1523151049514;
	Sat, 07 Apr 2018 18:30:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523151049; cv=none;
	d=google.com; s=arc-20160816;
	b=ZKjUFQWKzt0H96h7Q+Y5hEiGfyQ1sAlP633nMFJqVZmhnBBCjFq0E6j3CoGqpP4ghj
	1ykMxUM1R+YjEh8Pxe1MF7ysdN9ryjdBDTQaWfPD8GMRZ3l7BEu+S8pT9KVaffAMULac
	DZ0qFlxlAZH+YpjpfBh5xTd5Bl3QgYyGENZ6RuEj9AJ6v6XfhBv+nAu7fGddG5OztNiR
	Ut/2REoTGlVbYrMRI8zIDMoRqpHGLCSlluu272iUj16ymryiOKYBrEjxKdgORo9XieM8
	aMB4y0oDrpzHwNrkt1sfajne9yFEicedMUUjjlehJyCy8GZDZk0tj1k/oS+e+GLimX2G
	Hlig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=Xoe7woiPzAxEAflrbcBCaSd+u6F8m+5NEqfdALEYr6A=;
	b=OSF9aNz61TpqYp1KXqC2sJjdkSmEuHnt/BHCMkI+ud676nyI35f5pgU44HYwSm1Uvw
	1iYwHuMaMVb3GwXOGbYsntJA9nvIbVf4yYUarN+ma+1B2UZwe2rFVmjqGxFMJgvmpn5d
	nFE0gCTTgeTCDWPhUF77FituCKdxlIchoekRA2iamV1kbxmtYSykl15G7Vg4m4KYgre7
	I4POkevsR2u9Pr0BE5jUJHVhAT0wShOimpt7zGFjz8fXRbqOwmj0M+DspxytAPqEDhZZ
	K4Nug9o65Y2JauJC2QQJq3LvClhiCa85nMmzF77b0zFZ/Ep5XysMwRa4ODdVE0uKUE3w
	I19w==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id m5si9745085wrm.146.2018.04.07.18.30.48;
	Sat, 07 Apr 2018 18:30:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4986A689C88;
	Sun,  8 Apr 2018 04:30:24 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-1.mx.upcmail.net
	(vie01a-qmta-pe02-1.mx.upcmail.net [62.179.121.181])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8F510689971
	for <ffmpeg-devel@ffmpeg.org>; Sun,  8 Apr 2018 04:30:17 +0300 (EEST)
Received: from [172.31.218.36] (helo=vie01a-dmta-pe02-3.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1f4zAF-0007Yz-Tz
	for ffmpeg-devel@ffmpeg.org; Sun, 08 Apr 2018 03:30:39 +0200
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1f4zA9-0002Rv-VL
	for ffmpeg-devel@ffmpeg.org; Sun, 08 Apr 2018 03:30:33 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id XdWT1x01K0S5wYM01dWUnt; Sun, 08 Apr 2018 03:30:28 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun,  8 Apr 2018 03:29:44 +0200
Message-Id: <20180408012944.9406-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.16.2
Subject: [FFmpeg-devel] [PATCH] avcodec/movtextdec: Check style_start/end
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Limits based on 3GPP TS 26.245 V14.0.0
Fixes: Timeout
Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/movtextdec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index 89ac791602..c38c5edce6 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
         m->s_temp->style_start = AV_RB16(tsmb);
         tsmb += 2;
         m->s_temp->style_end = AV_RB16(tsmb);
+
+        if (   m->s_temp->style_end < m->s_temp->style_start
+            || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) {
+            av_freep(&m->s_temp);
+            mov_text_cleanup(m);
+            return AVERROR(ENOMEM);
+        }
+
         tsmb += 2;
         m->s_temp->style_fontID = AV_RB16(tsmb);
         tsmb += 2;