From patchwork Wed Apr 15 21:06:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 18987 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id B8A92447ADC for ; Thu, 16 Apr 2020 00:06:29 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8EF8268BB53; Thu, 16 Apr 2020 00:06:29 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9762F68B5BB for ; Thu, 16 Apr 2020 00:06:22 +0300 (EEST) Received: by mail-wr1-f67.google.com with SMTP id t14so1862683wrw.12 for ; Wed, 15 Apr 2020 14:06:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gWrKFzhY6WmaTCH22JSUqDDNhlRft+ihbj01VULcmOI=; b=gILE4fyc8vwUXmBJSB6Rx1ws93xtx5l8GPWps6bZhSD3QPpVrnbuSpLF0gA0TKc375 tfZcXNjVCWzXzRXKaSoyZkSJMgRbDVMFhAik+Bjm0/XHKySDWCdcDWRs4zBC/UzzrlHQ w4p/nZ/Yt/p385fzaMlBcSGitT8jIgWHDr7RN3fennyebcJgr5Z741hAJMna6u1O5Mle hH+qztmjEgzRx/lQMW4FqmxGPMDRzwvAbDWmLRwR1TY5Rq+cMSes8Pk0mheo5LpVwzfx s66o79urldTlRCpTS4CFwRALxn3CmjKGjV7bqBfRJsGDppp40xjRa+uLU7wY4gr141P6 sQPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gWrKFzhY6WmaTCH22JSUqDDNhlRft+ihbj01VULcmOI=; b=XrtxDoff04kROGMvHeJDckmCrjjukEVR2I7j4VFdj03LUW5Polwk1igff7uK+AWVqd +N/yoR2tXLKJRERWktRg64Niytr0oOYf6hW5CHnVe2/LQWzek/HOA8AewqhoHavx4PJb LsBG/5vHjHmynw9be9QyMq4yXlU+7LnZL8LKaUIcjHhh4mBZZtHPWdfVVKD5xjLxy499 1X/Vh0AQNsHEP1JT75kQHjbOtDle9DNgAsilzRwS/7RE390N8SfbtHc8a6YgauwgTJ2t qvgb0lUfDTkfUYDucTxgpEB8ifsAH8cw/njWYP6dzYOfXx2rDfP+EtqMCm0d6t1ePnPs k+cg== X-Gm-Message-State: AGi0PuZALVrteQ9BBkC3IzaeG7s3x64SznbYg8NGWsznJQ08J3dJWrWw HdxNXpXshNRviDKkOwxlCQe3xymU X-Google-Smtp-Source: APiQypKMoVcCsrm7XIugT7z1CdIqvdHY2rsm1u8HwHfxcZPRdtPnQYn2SGtRT6WqV3+2r6U+5r9CcQ== X-Received: by 2002:a5d:6091:: with SMTP id w17mr27862755wrt.382.1586984781836; Wed, 15 Apr 2020 14:06:21 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id f2sm24647605wro.59.2020.04.15.14.06.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2020 14:06:21 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Wed, 15 Apr 2020 23:06:13 +0200 Message-Id: <20200415210614.29152-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_opt: Check attachment filesize X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The data of an attachment file is put into an AVCodecParameter's extradata. The corresponding size field has type int, yet there was no check for the size to fit into an int. As a consequence, it was possible to create extradata with negative size (by using a big enough max_alloc). Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit systems) then the file size might be truncated before the allocation; and avio_read() takes an int, too, so one would not have read as much as one desired. Furthermore, the extradata is now padded as is required. Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 93b3d96205..680f0f1dfb 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -2432,12 +2432,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0;