From patchwork Wed Jun 27 18:11:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 9522
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:104:0:0:0:0:0 with SMTP id c4-v6csp1153304jad;
	Wed, 27 Jun 2018 11:13:01 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpdWbWEhgOA+NnhF0AKUsw57IBo6byTRYmh3HCRsMwo8B1xveNTF6ZNASuz9xGaHoBCmwWpY
X-Received: by 2002:adf:e207:: with SMTP id
	j7-v6mr6052233wri.205.1530123181323;
	Wed, 27 Jun 2018 11:13:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530123181; cv=none;
	d=google.com; s=arc-20160816;
	b=OOCG9bSOB4PWkdpUWGKkfweygnAckwMJ4VK8fJIyic1X/xeVcNaitr2X/PE9Uyg7vH
	Jry/ys7K97zIlmtPHwSralOx7mxnKUftHGS71q+wto2F3Hb+u+BfI4xiezHgCNDh1Ybs
	Eh3WYgjsN86AcnbAVQk/ueX3Mmke6sHbpjqTBzzjAs6FYu6tqG/qwuU+yJ+5vRDHfYXd
	tkPxrXsjqQzVqVJsoxENX4PvK6XiRul60nibH/G6QOWSEw3PpY9t6fTF65VRkknfgCXg
	L5iG/9GDN+7DD4J5CK+D2sgxcrA2PI3MxMd13DWVU7L91d9qACyPLTtNJxvtKDCYdb/3
	Di0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
	:list-help:list-post:list-archive:list-unsubscribe:list-id
	:precedence:subject:mime-version:references:in-reply-to:message-id
	:date:to:from:delivered-to:arc-authentication-results;
	bh=0siOgqcGSDrr+NWvXXcHg+hBWTmRs3R7CA44x40yHyI=;
	b=l3qo1XwVcXWNFGyNXGT6IyzEvai0hqShhB23L+Agd4HdIkUAvREZKOmi3Tk0bxjCQY
	oFG1E0K8a4D+P9Ea6tV9SEugqxLx0IEEYhaJr7FELbck8Yy4hnUyMwa7UVVTWxCMCQ6o
	h6lCyPt61SioOklTpXqkZWfmQ8n94su0DtB9GstsZLNuMPEG60dYPakzWguFVTA2IP6M
	HcK2jEujDUmwZ6r3x6UYyHVN7uZyTTbps27XxkFRjZeXwI3sicOdWedGNLD82oe0xNNV
	Unb6v0SA3xdqdYHRuBPMHboN53P5TEjOWx29sQSYyO++FL0Em7GV+Ek/dNJqFlpSm0E/
	ZvGA==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	b36-v6si4653305wra.173.2018.06.27.11.13.00;
	Wed, 27 Jun 2018 11:13:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4F04968A53E;
	Wed, 27 Jun 2018 21:12:24 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe04-2.mx.upcmail.net
	(vie01a-dmta-pe04-2.mx.upcmail.net [62.179.121.164])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 33C8D68A48B
	for <ffmpeg-devel@ffmpeg.org>; Wed, 27 Jun 2018 21:12:21 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe04.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1fYEvW-0006sc-BA
	for ffmpeg-devel@ffmpeg.org; Wed, 27 Jun 2018 20:12:22 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 3uCC1y00W0S5wYM01uCDrc; Wed, 27 Jun 2018 20:12:13 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Wed, 27 Jun 2018 20:11:20 +0200
Message-Id: <20180627181121.30735-7-michael@niedermayer.cc>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180627181121.30735-1-michael@niedermayer.cc>
References: <20180627181121.30735-1-michael@niedermayer.cc>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 7/8] avcodec/mpeg4videodec: Check read
	profile before setting it
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: null pointer dereference
Fixes: ffmpeg_crash_7.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg4videodec.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index d0ebaac6e8..54a8496244 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1980,15 +1980,15 @@ static int mpeg4_decode_gop_header(MpegEncContext *s, GetBitContext *gb)
     return 0;
 }
 
-static int mpeg4_decode_profile_level(MpegEncContext *s, GetBitContext *gb)
+static int mpeg4_decode_profile_level(MpegEncContext *s, GetBitContext *gb, int *profile, int *level)
 {
 
-    s->avctx->profile = get_bits(gb, 4);
-    s->avctx->level   = get_bits(gb, 4);
+    *profile = get_bits(gb, 4);
+    *level   = get_bits(gb, 4);
 
     // for Simple profile, level 0
-    if (s->avctx->profile == 0 && s->avctx->level == 8) {
-        s->avctx->level = 0;
+    if (*profile == 0 && *level == 8) {
+        *level = 0;
     }
 
     return 0;
@@ -3211,13 +3211,19 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb)
         } else if (startcode == GOP_STARTCODE) {
             mpeg4_decode_gop_header(s, gb);
         } else if (startcode == VOS_STARTCODE) {
-            mpeg4_decode_profile_level(s, gb);
-            if (s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO &&
-                (s->avctx->level > 0 && s->avctx->level < 9)) {
+            int profile, level;
+            mpeg4_decode_profile_level(s, gb, &profile, &level);
+            if (profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO &&
+                (level > 0 && level < 9)) {
                 s->studio_profile = 1;
                 next_start_code_studio(gb);
                 extension_and_user_data(s, gb, 0);
+            } else if (s->studio_profile) {
+                avpriv_request_sample(s->avctx, "Mixes studio and non studio profile\n");
+                return AVERROR_PATCHWELCOME;
             }
+            s->avctx->profile = profile;
+            s->avctx->level   = level;
         } else if (startcode == VISUAL_OBJ_STARTCODE) {
             if (s->studio_profile) {
                 if ((ret = decode_studiovisualobject(ctx, gb)) < 0)
@@ -3238,6 +3244,7 @@ end:
     s->avctx->has_b_frames = !s->low_delay;
 
     if (s->studio_profile) {
+        av_assert0(s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO);
         if (!s->avctx->bits_per_raw_sample) {
             av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n");
             return AVERROR_INVALIDDATA;