From patchwork Thu Sep 5 20:16:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 14938 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 5B718448AB3 for ; Thu, 5 Sep 2019 23:30:09 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 48202687F5E; Thu, 5 Sep 2019 23:30:09 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6B9A1687F5A for ; Thu, 5 Sep 2019 23:30:03 +0300 (EEST) Received: by mail-wr1-f66.google.com with SMTP id u16so4275642wrr.0 for ; Thu, 05 Sep 2019 13:30:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l+TMvalmhcA9xsyKzatrJsm/KPBEjlSTsmy0KF8WyfI=; b=CY6awfGee8DK4WI7lU67sVezKP9hx6vv55Y3Vt/lvpefqpkavZIQ2dcnh10FLBHkkb WCsF2vd/2SYh1lo/0Gvyq4OL7rMk4RVyF9e27wXL/3DVd7R57wNJtDqoKvAZRhoaOlwH ivjZyKjm4zYoprbg+QFdr7LwERWyMhyTbIOpJbKE0q+alV+R4p0hv67W+lutOA9KuaAP 4xNJdqbCYEFcku6oxQ/ICHAyhb0QiJqVSJ0rKH6CeqfF2sHCIbbqGk2lETDYPlOKfBOV gIbDczddhOTe0l6lh06JIA6I+VRD7K1q9TQvVNnYhnwGDB25zFiZff0TstpL5DYF3I2M Dr4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l+TMvalmhcA9xsyKzatrJsm/KPBEjlSTsmy0KF8WyfI=; b=VCrt1Et+RIRM0HHrA7jIQqIJBDTCTZyKRNOJpC0yPhBTfL6Aaz6sAYYel6ZaEupCBW sglC52RLpt+UrgM/nEP/8UKrO3QQHjUSPWzJhj8cIS3J9cwcXv7OPOVny3gkEa6+m1P7 xsTVKV2TX1og3azAft2EMfJl7KrjRMRKxR182eUXFSwg0VKuhVZD+FGNmE9jLSFJ08Wi ts8PMN59a2xBOzNLkNo+Grjfaw/CUVXP55Uu0o4ZosiTf4+E5vkSFmlkGPn2DPOvf4q7 b8IePRRSTYbnhiEFEeMvV8oZCZc/m75asVC0s3JvZkDaq19CGR6yarTYbquK8U7b8M9u 09Ng== X-Gm-Message-State: APjAAAUlHdosiQRQER4pjHxMV0PQW92JKmO/DSODY3jnucysvgIjPt7Z K7kUL5qgXHlu3vAi3KqVjUcRssQzFxo= X-Google-Smtp-Source: APXvYqxFu05yhv5YK2RhXwXvRTlGJqujOnOyRf8yoNxRbOk8JcEwM++8uk0Q42M9fHb1B1gBcq8wlQ== X-Received: by 2002:adf:cc84:: with SMTP id p4mr4336327wrj.201.1567715047550; Thu, 05 Sep 2019 13:24:07 -0700 (PDT) Received: from localhost.localdomain (ipbcc0f857.dynamic.kabel-deutschland.de. [188.192.248.87]) by smtp.gmail.com with ESMTPSA id g201sm5889769wmg.34.2019.09.05.13.24.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2019 13:24:07 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 5 Sep 2019 22:16:05 +0200 Message-Id: <20190905201609.998-4-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190905201609.998-1-andreas.rheinhardt@gmail.com> References: <20190905201609.998-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 4/8] avformat/matroskadec: Sanitize seekhead entries X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" A Seek element in a Matroska SeekHead should contain a SeekID and a SeekPosition element and upon reading, they should be sanitized: Given that IDs are restricted to 32 bit, longer SeekIDs should be treated as invalid. Instead currently the lower 32 bits have been used. For SeekPosition, no checks were performed for the element to be present and if present, whether it was excessively large (i.e. the absolute file position described by it exceeding an int64_t). The SeekPosition element had a default value of -1 which means that a check seems to have been intended; but it was not implemented. This commit adds a check for overflow to the calculation of the absolute file position of the referenced level 1 elements. Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that a Seek element without SeekPosition will run afoul of this check. Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index bdbddb58a5..2fe147126e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1856,8 +1856,12 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) MatroskaSeekhead *seekheads = seekhead_list->elem; uint32_t id = seekheads[i].id; int64_t pos = seekheads[i].pos + matroska->segment_start; + MatroskaLevel1Element *elem; - MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, id); + if (id != seekheads[i].id || pos < matroska->segment_start) + continue; + + elem = matroska_find_level1_elem(matroska, id); if (!elem || elem->parsed) continue;