| Message ID | 20190706165922.30457-1-andreas.rheinhardt@gmail.com |
|---|---|
| State | Accepted |
| Commit | eb33be188d2acb99e8f0f6a5cb45c931ed947cd0 |
| Headers | show |
On 7/6/2019 1:59 PM, Andreas Rheinhardt wrote: > This commit fixes an overflow introduced in a569a7b3 that affected EBML > elements that the Matroska demuxer doesn't want to parse like CRC-32 > elements. The return value of avio_skip (the new position on success or > an AVERROR on failure) has been assigned to an integer which meant that > new positions in the range of 2GB to 4GB-1 etc. were considered errors. > > Fixes ticket #8001. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavformat/matroskadec.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > index bc73bfed11..4d7076fa26 100644 > --- a/libavformat/matroskadec.c > +++ b/libavformat/matroskadec.c > @@ -1259,12 +1259,13 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, > return 1; > default: > if (length) { > + int64_t res2; > if (ffio_limit(pb, length) != length) { > // ffio_limit emits its own error message, > // so we don't have to. > return AVERROR(EIO); > } > - if ((res = avio_skip(pb, length - 1)) >= 0) { > + if ((res2 = avio_skip(pb, length - 1)) >= 0) { > // avio_skip might take us past EOF. We check for this > // by skipping only length - 1 bytes, reading a byte and > // checking the error flags. This is done in order to check > @@ -1272,7 +1273,8 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, > // no filesize (that ffio_limit relies on) is available. > avio_r8(pb); > res = NEEDS_CHECKING; > - } > + } else > + res = res2; > } else > res = 0; > } Pushed.
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index bc73bfed11..4d7076fa26 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1259,12 +1259,13 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, return 1; default: if (length) { + int64_t res2; if (ffio_limit(pb, length) != length) { // ffio_limit emits its own error message, // so we don't have to. return AVERROR(EIO); } - if ((res = avio_skip(pb, length - 1)) >= 0) { + if ((res2 = avio_skip(pb, length - 1)) >= 0) { // avio_skip might take us past EOF. We check for this // by skipping only length - 1 bytes, reading a byte and // checking the error flags. This is done in order to check @@ -1272,7 +1273,8 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, // no filesize (that ffio_limit relies on) is available. avio_r8(pb); res = NEEDS_CHECKING; - } + } else + res = res2; } else res = 0; }
This commit fixes an overflow introduced in a569a7b3 that affected EBML elements that the Matroska demuxer doesn't want to parse like CRC-32 elements. The return value of avio_skip (the new position on success or an AVERROR on failure) has been assigned to an integer which meant that new positions in the range of 2GB to 4GB-1 etc. were considered errors. Fixes ticket #8001. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/matroskadec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)