From patchwork Fri May 1 00:55:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 19410 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 4550D44B78B for ; Fri, 1 May 2020 03:55:41 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2B82F68C786; Fri, 1 May 2020 03:55:41 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 33AAC68C5E6 for ; Fri, 1 May 2020 03:55:35 +0300 (EEST) Received: by mail-wm1-f66.google.com with SMTP id u16so4624093wmc.5 for ; Thu, 30 Apr 2020 17:55:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=WYHsF6IZ7AuHoPW84biJlRHqeTtyES3kFiO9uep34mY=; b=vFxTfVkpQtc26dtoZem289Iy5jL9q70T1PNDFxcv0UcfoTizBVJL0Ar9LEZBWqOm56 xpMhzx3CuKp6BbPiK3AixJANA4MnqJLQ0VIU2xqWNiXSUpFSlFFSpF+7NVFH097XHTW8 7mBeqq9+7KgyQmI/lbfWkSiK2MI4ClrmhQuQhz/yrTuq55IgfoJJWN4wi6M0Aet+WHtF KOnuj/IaQQ92DR2olBu8T2df47JRXGWyboRa/Y0tb/AirMiAeTDevNKV1UHwHUBXNuPF bicSvH/n8rQA7jkAEp37+6K1oDUJ57NrdkFKsZxXGhE8JbgxBw8/8X8D9MF/0SPLWYcm 3/6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=WYHsF6IZ7AuHoPW84biJlRHqeTtyES3kFiO9uep34mY=; b=stIjNNvJqBSQLHzMQNDxhB865kASOu3c60YBdVTQDvg9IpHAhPp2aEMb7lTOlu3DVU j+3Xf03fsdRFrC1185FW9qQvzL27OTg56wwVVRzaGb1TjK6rTogpRRwDKfp76utaxlxn sj/wGwMPBx4pNwCBZSih2O/qM2kNSkU3bwoo6lPHaEOcl+vuv3UUioImcttHH5cUfXDM 27L/9zt0Z3sob+1ufpT2q8ZPaY15Qp9i0hVA5eXp7nxTcoPbl6r1XZoCxgGw+FFinTQs xK2tMCX1Yzxzq1gdjUVSDh+pxAQIW07rhPG66lS5fOtU6AAgeLhuPGmK4qcIM7SJjsaR HCOA== X-Gm-Message-State: AGi0Pua4NRKc0RYAcv9Hkfky21RLtkGdbFiqYewQ+iBU+vES/zykViub P7mVAkIxGxWEgSFKkxeHPLpeF1I9 X-Google-Smtp-Source: APiQypLwKG4swF6NpwZKD7i8P4CK+mYGhZad1VEnK0u0K22RzM+GDEl1mDu9EmCNXFCIi62VOr+E9w== X-Received: by 2002:a1c:bd08:: with SMTP id n8mr1259856wmf.23.1588294534231; Thu, 30 Apr 2020 17:55:34 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id k14sm2073444wrp.53.2020.04.30.17.55.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Apr 2020 17:55:33 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Fri, 1 May 2020 02:55:20 +0200 Message-Id: <20200501005522.16402-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/3] avformat/matroskadec: Sanitize SeekHead entries X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" A Seek element in a Matroska SeekHead should contain a SeekID and a SeekPosition element and upon reading, they should be sanitized: Given that IDs are restricted to 32 bit, longer SeekIDs should be treated as invalid. Instead currently the lower 32 bits have been used. For SeekPosition, no checks were performed for the element to be present and if present, whether it was excessively large (i.e. the absolute file position described by it exceeding INT64_MAX). The SeekPosition element had a default value of -1 which means that a check seems to have been intended; but it was not implemented. This commit adds a check for overflow to the calculation of the absolute file position of the referenced level 1 elements. Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that a Seek element without SeekPosition will run afoul of this check. Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8e1326abf6..dea8f14f9e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1865,8 +1865,12 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) MatroskaSeekhead *seekheads = seekhead_list->elem; uint32_t id = seekheads[i].id; int64_t pos = seekheads[i].pos + matroska->segment_start; + MatroskaLevel1Element *elem; - MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, id); + if (id != seekheads[i].id || pos < matroska->segment_start) + continue; + + elem = matroska_find_level1_elem(matroska, id); if (!elem || elem->parsed) continue;