From patchwork Sat Dec 14 22:19:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 16786 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 57EF7448D61 for ; Sun, 15 Dec 2019 00:25:55 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2C9116891F1; Sun, 15 Dec 2019 00:25:55 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com [209.85.128.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5FEF5688390 for ; Sun, 15 Dec 2019 00:25:48 +0200 (EET) Received: by mail-wm1-f67.google.com with SMTP id p17so2575832wma.1 for ; Sat, 14 Dec 2019 14:25:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rONnO4RzftvVssqeScYD9hLtRCgRNtNg9Uf3hlsqcFQ=; b=rjM0/93gM6fCXrcflwkJ/1Btp7NCVXsmUox4B3j9pgQOH6IPK/QNWAcYn9/VIKoZ3j p9b0vtnkmXBxisRqsN6r8zPfERygJvxjd28S5IYwVw4nsAqGvMr6dwjdwZWoiInsCLdr uEG9dMqYc1l6LGqwe/j6E5UbTMybH2IoSxFESc6HIYi7NNRMU7jVyfOm+cg7G5a285sh UKSkSASx9bKR8PVGnEhyaiK4yLThG+1takkEDg/bTsoq80VUW+pFV3QppvJ0KqbpOAhG im6PVXdQ00rin7whlm6vZ1fl/bkeQJl743BquiBjXFodphYelnl4jrDKb+hpAXLmZZ0+ wOdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rONnO4RzftvVssqeScYD9hLtRCgRNtNg9Uf3hlsqcFQ=; b=tBZhfZOFQ+FRi/AnlTDqFVaUd7vM00ghUC+SuC4zBO2F9ukAfY4AdYjBErx284AoXC 6VPfOkc2JeL4eYzixaElDEtN6IP47N3laiwIxihsuoHinVEn2In6g62EILQ5zMCPm4/k N4cFpAJEPTj3LyJN7FmI/SFKNCFo5Sr5QmXXaqjFqbg+Slce1ikd/oTK8vR8seLKQKDR 2U7MP+8GulPL+UtHsU3fEnwgm205g/UQarP/H7NKlrwIr4VTe10Cas7jSRN45jnrNLUp MlMimRcqeaAb2q/yqa9I15xPJWPTIu3H+NLW4H0LbJzajG4bYJTIdYbEFffUsGx/6X/G PE9w== X-Gm-Message-State: APjAAAWMI0EZaWRsbw+wjvkPvmHELQvlRkD0/NJMpZ3bgkik2oSK3NI7 HQKggZ7HoZvErDAND7PbCnE7gXvR X-Google-Smtp-Source: APXvYqwjzE35bu7jd3Gw/3uXLOPlSzD7yseqa1DQF4Xa8pOC1YV9/IizcTKAH9e80VF3R4ztMkzIzg== X-Received: by 2002:a7b:cd11:: with SMTP id f17mr12497414wmj.48.1576362347668; Sat, 14 Dec 2019 14:25:47 -0800 (PST) Received: from sblaptop.fritz.box (ipbcc08e23.dynamic.kabel-deutschland.de. [188.192.142.35]) by smtp.gmail.com with ESMTPSA id v3sm15063771wml.47.2019.12.14.14.25.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Dec 2019 14:25:47 -0800 (PST) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 14 Dec 2019 23:19:16 +0100 Message-Id: <20191214221926.16074-4-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191214221926.16074-1-andreas.rheinhardt@gmail.com> References: <20191214221926.16074-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2 04/14] h264_mp4toannexb: Improve extradata overread checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Currently during parsing the extradata, h264_mp4toannexb checks for overreads by adding the size of the current unit to the current position pointer and comparing this to the end position of the extradata. But pointer comparisons and pointer arithmetic are only defined if it does not exceed the object it is used on (one past the last element of an array is allowed, too). In practice, this might lead to overflows. Therefore the check has been changed to use bytestream2_get_bytes_left() which means that the pointers get subtracted and the result gets compared to the available size. Furthermore, the error code has been fixed. Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_mp4toannexb_bsf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index f31902b506..b9c6b165af 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -101,11 +101,11 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding) unit_size = bytestream2_get_be16u(gb); total_size += unit_size + 4; av_assert1(total_size <= INT_MAX - padding); - if (gb->buffer + unit_size > gb->buffer_end) { + if (bytestream2_get_bytes_left(gb) < unit_size) { av_log(ctx, AV_LOG_ERROR, "Packet header is not contained in global extradata, " "corrupted stream or invalid MP4/AVCC bitstream\n"); av_free(out); - return AVERROR(EINVAL); + return AVERROR_INVALIDDATA; } if ((err = av_reallocp(&out, total_size + padding)) < 0) return err;