From patchwork Thu May 31 17:41:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Trimble X-Patchwork-Id: 9183 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:11c:0:0:0:0:0 with SMTP id c28-v6csp781872jad; Thu, 31 May 2018 10:42:12 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLxw2p+occ3VVJiModRp97ci6y+2kEDMyTVNMKz7CkdL2hd7amUVqiR0JeDF37OPrUaUyXW X-Received: by 2002:adf:e501:: with SMTP id j1-v6mr5902516wrm.186.1527788532525; Thu, 31 May 2018 10:42:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527788532; cv=none; d=google.com; s=arc-20160816; b=jbmIG5xUdcKDbNpc/z6l4rksx14nQFTnX2QrD5C6TWdLuWnLgYSWLQAALKr8iKjE7d C2SEaN2rSZJqNH7omOuV9iOF0MqhgQXxLha8cHZwlAtpBKkrn1wJyhbgsjJfi+SU2X8l Y11SH/RWu3EtI9muwc8os+43XtAVEXPFvGSZYB6g5SdBflZamj+/b/jGU9xxv4Z5iC/D ooDnm6VhWaYrTXFyUAbNx8v1J3yM8MXQLYFBkgfUIm39QFQzdrTfk4UsqnMGIpZtzhgU 9ryxtMGzndOk8pQcZNc9u30Idg4M0mZNaMZWEhTE0yCjtXqB+I1E1F4d3m2alGoL2L/U bSpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:to:from:message-id:date:mime-version :dkim-signature:delivered-to:arc-authentication-results; bh=Y2orzJa+z9HKl1KL7o3N/49/Za1/O3I8RHfBIJS6TE8=; b=xNHtnO7jhq75W57KPc6npfx947oXt5MZLwCLIG8USBqMQ5vHNIrh/oDP/W5El/7eoA rPIpMog7nwF71RgLfPSZKzT4NjVWrsqG0abMJtTx5V5j5k9DqTlgWu/umvIfCo2J4zDI WgcBM35nIHw1yVNCAmAuNJNvcgvvtRZmwu1vpJd3Tu7WKOeolb/nUrAeINUUfWjWk1ZE f2h5ToKBLFFeg5R12wjI8EV8TVtTL9o5GhYzsIwYcv3ciignQrzvS/jIK7t9SzixkVMm jg1Gh2niqEFsP4efUV8Vm1tEwLrlKKxpRcmDLC4UfknbxDfTwaua6bdBpybTYRUeZijH qfjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=Ifl4/pcK; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z125-v6si1245076wme.160.2018.05.31.10.42.11; Thu, 31 May 2018 10:42:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=Ifl4/pcK; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2F6A368A48B; Thu, 31 May 2018 20:41:25 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-yw0-f202.google.com (mail-yw0-f202.google.com [209.85.161.202]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 13FA968A3FE for ; Thu, 31 May 2018 20:41:18 +0300 (EEST) Received: by mail-yw0-f202.google.com with SMTP id l36-v6so15261012ywa.3 for ; Thu, 31 May 2018 10:42:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc; bh=zRpXZG/O+z7PYOcWmszzkcqWhRQx/AD4wQL3YmZQiOU=; b=Ifl4/pcKkvGIGObpF1wtri5RRveliEvO80w8CklwaJmeCPY9J3MKoTYxD3HdvOHeCX GLouonDo5F2kZHAqwGsjujIUvhGwDtlnp9MlF2ODMIvP0kaT74/wOcl8SP1ZvIgD/ILh UhtPlCADIewc9HKD7ydoBWeDJBeHjL66JaFn/kz+ql6ZguCWAvtcfel6EijEuiOACXvt 1duOO+RolnBg8MnbfAgZMmgoak1cFj0e8w38XCLJlsvB3KRH2Tm7UNX/PzibErM41HXl Gm95ZXF370gb6Ktt7ztIrLOyKCWPG12TmJSu3oVZdo2kGKAkd3LlnhQ3pE8Ws0DpgboU dnMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=zRpXZG/O+z7PYOcWmszzkcqWhRQx/AD4wQL3YmZQiOU=; b=dl3VNfge4AMl7OWvMnwV0N+XesxqhxrDfNFSTyPTum3aCI8WjVfFhEqyst1l0usWhI YGULS1H5gHqndQkTWt7J/lMjSJaEHjST4OpH84O4VV/XDSwOlkvg3Coamde+lEsTmTTy 4bAZhekztcdV9UK4tlXC1Qwd9e7BdX3/TPTaEVbMwQV34/9nCnQODyAvJTEjpwCtu8gB 14LIUBSZNC18wyLuVQ8gzQgCF0ZNqWR4SUG2oBRZXJColRV/LS24yla4ZZ4AmyaXvQJH 52+jxBNMOL1AGAvrQXXNeA9BzFKck9pd5kAnnIKZ19ukmbM5zscLqao/mm9/WJc30OX/ RUag== X-Gm-Message-State: ALKqPwc+PveAZ55j7ORr3x4LNemp9kTFuGZtKOPEn1v57o4f9YfZQWUS og/cBPH8mB8jvw1HjsnBZvLI5EuSx5U8jK6Y6j2eZqkjRgNdxN5nRkSvBlCDJ+OCtOq/qj5cTxZ BVvLBdTcWXVishzhKQuefaizdSFbbr/5k2Gnn+77+IRuBu+pVr36/Q7n9vUtQjjb/tRG3 MIME-Version: 1.0 X-Received: by 2002:a25:268c:: with SMTP id m134-v6mr2213025ybm.57.1527788521807; Thu, 31 May 2018 10:42:01 -0700 (PDT) Date: Thu, 31 May 2018 10:41:29 -0700 Message-Id: <20180531174129.217682-1-modmaker@google.com> X-Mailer: git-send-email 2.17.0.921.gf22659ad46-goog From: Jacob Trimble To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH] libavformat/mov: Fix heap buffer overflow. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Jacob Trimble Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Found by Chrome's ClusterFuzz: https://crbug.com/847060 Signed-off-by: Jacob Trimble --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f2a540ad50..08cc382a68 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5895,7 +5895,7 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); for (i = 0; i < sample_count; i++) { - unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count); encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, min_samples * sizeof(*encrypted_samples)); if (encrypted_samples) { @@ -5949,7 +5949,7 @@ static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon } for (i = 0; i < sample_count && !pb->eof_reached; i++) { - unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count); encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, min_samples * sizeof(*encrypted_samples)); if (!encrypted_samples) { @@ -6110,7 +6110,7 @@ static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); for (i = 0; i < entry_count && !pb->eof_reached; i++) { - unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count); + unsigned int min_offsets = FFMIN(FFMAX(i + 1, 1024), entry_count); auxiliary_offsets = av_fast_realloc( encryption_index->auxiliary_offsets, &alloc_size, min_offsets * sizeof(*auxiliary_offsets));