From patchwork Fri Aug 17 19:32:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 10024
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:104:0:0:0:0:0 with SMTP id c4-v6csp1129252jad;
	Fri, 17 Aug 2018 12:33:08 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdZ7PcKGXItb3eUuzp06N/YucvSMJ5zn2acvmj3xkv++lNToGUnKEC9WXpmtfr+MEBqdgQX2
X-Received: by 2002:adf:dfca:: with SMTP id
	q10-v6mr759580wrn.113.1534534388673;
	Fri, 17 Aug 2018 12:33:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534534388; cv=none;
	d=google.com; s=arc-20160816;
	b=R+6b5Pqs8iK00errLno00kSlyE2FXFMBLYK2+ltRqJPKWHy7n7Icm7UufxQPzwuvgZ
	3C0faz1Vnq9tJ2bocx6ufaQqkP96/pnqcHHTdKI9IWm+OkYI92FnygxYIqslwkuyFefM
	C3TBi7NsrYIMh8V9O3t9LDh0+CD+eb59XAWTyopQwMWMuFUxuY8IZdWBsbHomEmS41sS
	lYDpX+zB13vhY1ZlaNzjV0SQtvKuTjWYgE6b7CNOlXrFGDK906tJkp3k2svthSLT3hiS
	5LRGUmWq/vSXPcY7h2wRKw5mECbqZcSHpkh+F2T3XxnYNj8JrtI0HFNWIpaq5qKDAYja
	R2kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=LhKS+CQa+gqXDkm8LmXjm29ZMjyzKNOFdmfeiVtTgMA=;
	b=OezGU4divbo8n/zKgk6SZIpp4r6SOZeS27a8E9BEvcaFS2YdtPR9itmPgGSmA/yBhZ
	a6529HE5RshGynv0BFBUTfpFa5KyN6hbt6lpdduuCYqFGrKlZOsPGqqq+mWloy5T7tDt
	RYm7Zx8yBLeRCUIdH1dvcMxITWOvOLet0c7yNTdZOQnqmbGY8PJEwtT4p5LbyjYzEVcA
	dKXvJjsrDiPNOc4h8JYIA6I1PbamJdLXnKjHrs1yrJ+dB9jh6P8swN1Ewcnk9WbbN98e
	Mc3fz/LVJDcN7dNB3zke8njaewPB9d3Nnls8bV8pJWDapEpDVq/yEZXVMpbCc8fmCEpe
	iibw==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	x8-v6si2159387wrt.345.2018.08.17.12.33.07;
	Fri, 17 Aug 2018 12:33:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 77BEB68A0D9;
	Fri, 17 Aug 2018 22:32:40 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-2.mx.upcmail.net
	(vie01a-dmta-pe05-2.mx.upcmail.net [84.116.36.12])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E1AED68A0AE
	for <ffmpeg-devel@ffmpeg.org>; Fri, 17 Aug 2018 22:32:33 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1fqkUV-0006mI-4h
	for ffmpeg-devel@ffmpeg.org; Fri, 17 Aug 2018 21:32:59 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id QKYo1y00w0S5wYM01KYpPN; Fri, 17 Aug 2018 21:32:50 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 17 Aug 2018 21:32:45 +0200
Message-Id: <20180817193245.950-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.18.0
Subject: [FFmpeg-devel] [PATCH] avformat/nsvdec: Do not parse multiple NSVf
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421

Found-by: Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/nsvdec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index d8ce656817..92f7d178f6 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -176,6 +176,7 @@ typedef struct NSVContext {
     int16_t avsync;
     AVRational framerate;
     uint32_t *nsvs_timestamps;
+    int nsvf;
 } NSVContext;
 
 static const AVCodecTag nsv_codec_video_tags[] = {
@@ -266,6 +267,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 
     nsv->state = NSV_UNSYNC; /* in case we fail */
 
+    if (nsv->nsvf) {
+        av_log(s, AV_LOG_TRACE, "Multiple NSVf\n");
+        return 0;
+    }
+    nsv->nsvf = 1;
+
     size = avio_rl32(pb);
     if (size < 28)
         return -1;