From patchwork Tue Jun 26 11:02:38 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Baozeng Ding <sploving1@gmail.com>
X-Patchwork-Id: 9510
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:141:0:0:0:0:0 with SMTP id c62-v6csp5202620jad;
	Tue, 26 Jun 2018 04:02:58 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgperAVBhmIFUUCoWRxayPW0b83ORuy4K3GedMhhEgGEI9h1cMmbFkaGUGNmfTatblrLxct6r
X-Received: by 2002:a1c:6c09:: with SMTP id
	h9-v6mr1283276wmc.138.1530010978485;
	Tue, 26 Jun 2018 04:02:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530010978; cv=none;
	d=google.com; s=arc-20160816;
	b=ydJg6vuUktRo61YWfFOhHVw9i2iVUuly1yBSVZ45OGuSFEgd4rGFk0/b0QAnN+xXKN
	PXsMQ/W7vGMM5glUH2/kgN9enLxcIlny04mFiI/LT28OtBnLmswIER8YhvHt+b2v3yDl
	F9x6d532dyyJbnbUPykBC3HwYVbs8GChQ/wHzjeN5ge5x8O3WppRBrkDHy7Gxbg4sZ/C
	mGaOc2sv29sxbXdo1v9FF1PXwulyBl05KqjFm6ed2TKm6evm6NjXVvpLVVK3rc2FTda7
	qj9ct8cV0ZJSFQGU6sf5ZRDF6w58gmowZa6i/sQv2cHj1vRrR0+McKG9dzJ0B511mxar
	fUIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:dkim-signature
	:delivered-to:arc-authentication-results;
	bh=1vKSy44C3hjtGaiiEyABZrLJmErjRZAclyUO84j2ynQ=;
	b=TUNXmwEikjRARan2jA9w5ft+NGYoXIvwi4iRyTWQqIbolFs0ILZUrMMUz6fJ5zuyri
	JiLFbO/a77ny7TqDvWH4bMluzb7Gl1jS239cv27HKc7JuPMmW9SvabmJ1eqB8JSQM1eM
	oO3h7yXHpeZveXmH7pUZwKV2+dB8DVc6Ay8N4eJDxiuZ4EpxLBDf0PdpKrVOC3/ULVz2
	5KNqGTgkQnMFaUTh9r7t9PuO+GJAzlniwWd1TxUnynu70lK/JR7IMjj0ADip10CEsDSC
	WIHwynNWlhibhT/3IiRMaOOW87COiHouCL0xRqRx71tblPpeA4m+6xYmzgyE0Ss08Eg+
	jfvg==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.s=20161025 header.b=eHtVdvo3;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	j194-v6si1225090wmd.60.2018.06.26.04.02.58;
	Tue, 26 Jun 2018 04:02:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.s=20161025 header.b=eHtVdvo3;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id F0DAE68A3EF;
	Tue, 26 Jun 2018 14:02:00 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-pg0-f66.google.com (mail-pg0-f66.google.com
	[74.125.83.66])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 89BEE68A335
	for <ffmpeg-devel@ffmpeg.org>; Tue, 26 Jun 2018 14:01:54 +0300 (EEST)
Received: by mail-pg0-f66.google.com with SMTP id c10-v6so7468943pgu.9
	for <ffmpeg-devel@ffmpeg.org>; Tue, 26 Jun 2018 04:02:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id;
	bh=pCrtipQZ/EwYO9pCwrN7kMF1ORNYDFTaCAlk6GoQulU=;
	b=eHtVdvo3Te3MeicWUE3Q4Vv2SAcJtMS8h7g9yPh/64dT6QO9e1ER6V56IgfOvqay27
	6C6jMSwZxoMBZyMlfx57PZmy6hm8DGkXtaA12SZqC//D3Utu04AnrSzCf8B7gljBYpQ1
	+AYRXeeDYpFM/8eIX51lDX3dOMPTHGRd8Lk2fm9lOc6oqi/HtPC1WizDpY9W7TV3QpNI
	SDk+xEwwSUGVgtV0kX811hmykslXZdT4WuUadWQbeJREEa+BkHsDm9pPreWMDhvdmYSZ
	knGfGnRe8xKcrJiIBgAzcNybmSpby6LBw0CfkSQ3fs3lMZXCfiAkQdAfpcuz0B90QHjR
	cewQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=pCrtipQZ/EwYO9pCwrN7kMF1ORNYDFTaCAlk6GoQulU=;
	b=m3UBrMXya+6styqHzvXR9J8Pv/Yrp3FSd6x6eWok+nK1QDLfkUpJJ9WfXQaDOd4C7w
	8NXLg8Mn+HWW9Lc0FmsbreJCl/IHjvPCTSrklEn4K6iIor4b2FfKMUeu3fCB8kTlz5Kp
	kHIcY7e0IPyPe5OnDGs8xzdbPCHf9FJXdiQXx09ytVJAKod7hAyG39s3f+pcFwA+n1Ka
	jOLus2SY3GVXZtBzmSwNrcXydc8fq//eN9s9hloIsQ24EzJpLk+dW+ANT4aWKOjgzwj+
	XI3sOFDgQaMwQtTyN4hG7LNSriirh6bQ2m/d6hM2ynzbSNviE8ykxZRML9LYRlr7guc/
	VdHw==
X-Gm-Message-State: APt69E0O2WWekUvcYUp3YRXfpq6xzOL/ZWF/qnXXynTno7l4dR/A6jvS
	WE29tkG3Zjg175RQIOEhueTqBA==
X-Received: by 2002:a63:ad46:: with SMTP id
	y6-v6mr968596pgo.10.1530010968503;
	Tue, 26 Jun 2018 04:02:48 -0700 (PDT)
Received: from dingbaozengdeMacBook-Pro.local.net ([203.12.205.218])
	by smtp.googlemail.com with ESMTPSA id
	j5-v6sm3095219pfc.56.2018.06.26.04.02.46
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 26 Jun 2018 04:02:47 -0700 (PDT)
From: Baozeng Ding <sploving1@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 26 Jun 2018 19:02:38 +0800
Message-Id: <20180626110238.23761-1-sploving1@gmail.com>
X-Mailer: git-send-email 2.15.1 (Apple Git-101)
Subject: [FFmpeg-devel] [PATCH] Fix heap buffer overflow in ff_combine_frame
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Signed-off-by: Baozeng Ding <sploving1@gmail.com>
---
 libavcodec/parser.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index f43b197..a9786af 100644
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -355,6 +355,7 @@ int ff_combine_frame(ParseContext *pc, int next,
 
     av_assert0(next >= 0 || pc->buffer);
 
+    int origin_buf_size = *buf_size;
     *buf_size          =
     pc->overread_index = pc->index + next;
 
@@ -370,9 +371,12 @@ int ff_combine_frame(ParseContext *pc, int next,
             return AVERROR(ENOMEM);
         }
         pc->buffer = new_buffer;
-        if (next > -AV_INPUT_BUFFER_PADDING_SIZE)
-            memcpy(&pc->buffer[pc->index], *buf,
-                   next + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (next > -AV_INPUT_BUFFER_PADDING_SIZE) {
+            int copy_len = next + AV_INPUT_BUFFER_PADDING_SIZE;
+            if (next + AV_INPUT_BUFFER_PADDING_SIZE > origin_buf_size)
+                copy_len = origin_buf_size;
+            memcpy(&pc->buffer[pc->index], *buf, copy_len);
+        }
         pc->index = 0;
         *buf      = pc->buffer;
     }