From patchwork Thu Jan 23 16:08:27 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 17490
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 7E4CD44BAAD
	for <patchwork@ffaux-bg.ffmpeg.org>; Thu, 23 Jan 2020 18:08:49 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5E96C68B069;
	Thu, 23 Jan 2020 18:08:49 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com
 [209.85.221.66])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E580568ADBE
 for <ffmpeg-devel@ffmpeg.org>; Thu, 23 Jan 2020 18:08:42 +0200 (EET)
Received: by mail-wr1-f66.google.com with SMTP id q6so3675912wro.9
 for <ffmpeg-devel@ffmpeg.org>; Thu, 23 Jan 2020 08:08:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=7Ga8KCXNHdPJV/jTqjs1/iayjm5BLq+ocuWzcw/A5vM=;
 b=pXZRmGk/3vIlru0CkNdPeUZp8KMbGc2b2/0OCj5N0z7ew+NG/0+Q3dWcqZvMOjgYrX
 PKEVzowHb29LjHMc3PToLip0HgIX/raoao8YGB8Q/ra1/BU4xYABse62Ev4LJi5oa+Qf
 z9igck6rKPEKGJ0xH8AuYW3UXjXEvOPYu+RysCl2rnCrbXoR2xSsNHtlhuhfrE9cDRTc
 chw4TwBXae3EyRolORRsIeY3s4Xo2IrrKv7UE9PA/IktIWtAMk7Rciej0lq4v8L35lHt
 KTFr41KE7N4lAJvjSxW98LIhlQJbOF6aNPJnRl8dK/7c5hb0X7cfDisTJ85NP8GPrT25
 vHJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=7Ga8KCXNHdPJV/jTqjs1/iayjm5BLq+ocuWzcw/A5vM=;
 b=nluyWAPAhsXLwFnTbmb6jX415v75rC9ZHXJUTHEL+LN7iT9qRBX3xvfpiYak027MvR
 JPtaQMjhVekQUQuEBu9+LCdfMgXwwCNJREwubK2BB21g3YHghMIXg4nv3XRUBNMNYlS3
 iTpZI/8gbr4THutqsOiRd7cHGPyzVbgJL016Kj6RV4HyzxkQHgRFyHZc4u3Jpcm9aTIM
 RoUb3CUYeAWlnwpOgnvizlifY9iSthjiAP0nPvcarKtYkPQMX339SNwtamM7f72n8jAV
 jDnKPXsiiOlBuYaVUXe7Ulpho7Bp2VlzYzsxOcsXfhSCaSd6rinldr4g1sgVJheN8WuR
 /H3A==
X-Gm-Message-State: APjAAAWVCEtE8pUaEKMFXdzFqtFBOe95c1xIZPu7zslLHK7qa0nmyZYP
 iBFnDKkzqQg+btEyzfU2j1/jgfrO
X-Google-Smtp-Source: 
 APXvYqxFU9dB8OKk63LnG8FvOGsPoGAsXtzedDTRk4SUtsxZbatJjnm3OABuGk75UkjN3y7tYbj43g==
X-Received: by 2002:a5d:4386:: with SMTP id i6mr18126680wrq.63.1579795721955;
 Thu, 23 Jan 2020 08:08:41 -0800 (PST)
Received: from sblaptop.fritz.box (ipbcc08bbf.dynamic.kabel-deutschland.de.
 [188.192.139.191])
 by smtp.gmail.com with ESMTPSA id o187sm3678419wme.36.2020.01.23.08.08.40
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 23 Jan 2020 08:08:41 -0800 (PST)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 23 Jan 2020 17:08:27 +0100
Message-Id: <20200123160832.2020-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/6] avformat/matroskaenc: Check for
	reformatting errors
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

This is needed especially for AV1: If a reformatting error happens (e.g.
if the length field of an OBU contained in the current packet indicates
that said OBU extends beyond the current packet), the data pointer is
still NULL, yet the size is unchanged, so that writing the data leads
to a segmentation fault.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/matroskaenc.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index 953421435d..a72bcb0ba1 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -2079,14 +2079,14 @@ fail:
     return ret;
 }
 
-static void mkv_write_block(AVFormatContext *s, AVIOContext *pb,
-                            uint32_t blockid, AVPacket *pkt, int keyframe)
+static int mkv_write_block(AVFormatContext *s, AVIOContext *pb,
+                           uint32_t blockid, AVPacket *pkt, int keyframe)
 {
     MatroskaMuxContext *mkv = s->priv_data;
     AVCodecParameters *par = s->streams[pkt->stream_index]->codecpar;
     mkv_track *track = &mkv->tracks[pkt->stream_index];
     uint8_t *data = NULL, *side_data = NULL;
-    int offset = 0, size = pkt->size, side_data_size = 0;
+    int err = 0, offset = 0, size = pkt->size, side_data_size = 0;
     int64_t ts = track->write_dts ? pkt->dts : pkt->pts;
     uint64_t additional_id = 0;
     int64_t discard_padding = 0;
@@ -2105,22 +2105,24 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb,
            mkv->cluster_pos, track_number, keyframe != 0);
     if (par->codec_id == AV_CODEC_ID_H264 && par->extradata_size > 0 &&
         (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1))
-        ff_avc_parse_nal_units_buf(pkt->data, &data, &size);
+        err = ff_avc_parse_nal_units_buf(pkt->data, &data, &size);
     else if (par->codec_id == AV_CODEC_ID_HEVC && par->extradata_size > 6 &&
              (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1))
         /* extradata is Annex B, assume the bitstream is too and convert it */
-        ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL);
+        err = ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL);
     else if (par->codec_id == AV_CODEC_ID_AV1)
-        ff_av1_filter_obus_buf(pkt->data, &data, &size);
+        err = ff_av1_filter_obus_buf(pkt->data, &data, &size);
     else if (par->codec_id == AV_CODEC_ID_WAVPACK) {
-        int ret = mkv_strip_wavpack(pkt->data, &data, &size);
-        if (ret < 0) {
-            av_log(s, AV_LOG_ERROR, "Error stripping a WavPack packet.\n");
-            return;
-        }
+        err = mkv_strip_wavpack(pkt->data, &data, &size);
     } else
         data = pkt->data;
 
+    if (err < 0) {
+        av_log(s, AV_LOG_ERROR, "Error when reformatting data of "
+               "a packet from stream %d.\n", pkt->stream_index);
+        return err;
+    }
+
     if (par->codec_id == AV_CODEC_ID_PRORES && size >= 8) {
         /* Matroska specification requires to remove the first QuickTime atom
          */
@@ -2184,6 +2186,8 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb,
     if ((side_data_size && additional_id == 1) || discard_padding) {
         end_ebml_master(pb, block_group);
     }
+
+    return 0;
 }
 
 static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
@@ -2389,7 +2393,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_
     relative_packet_pos = avio_tell(pb);
 
     if (par->codec_type != AVMEDIA_TYPE_SUBTITLE) {
-        mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe);
+        ret = mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe);
+        if (ret < 0)
+            return ret;
         if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && (par->codec_type == AVMEDIA_TYPE_VIDEO && keyframe || add_cue)) {
             ret = mkv_add_cuepoint(mkv->cues, pkt->stream_index, tracknum, ts, mkv->cluster_pos, relative_packet_pos, -1);
             if (ret < 0) return ret;