From patchwork Mon May 18 03:30:30 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 19730
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 2F21944AFD4
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 18 May 2020 06:31:13 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1276768A460;
	Mon, 18 May 2020 06:31:13 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com
 [209.85.221.66])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9A5C568A41E
 for <ffmpeg-devel@ffmpeg.org>; Mon, 18 May 2020 06:31:06 +0300 (EEST)
Received: by mail-wr1-f66.google.com with SMTP id e1so10031080wrt.5
 for <ffmpeg-devel@ffmpeg.org>; Sun, 17 May 2020 20:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=OiKeeI7rYqQwNSlAg9TRKTEcntvFjYOssOYOHb3MWno=;
 b=Q05HsHplqC2ecEUghYbT7I1VyFJMdI8fRnbJQpVCbUZcoB4bwLiolfI3EF40WOAO0v
 W9Rg1hQyWitEarph55P9jjgonYPNvRcCjv/ofEI/OY1IDbJHjeX/wpyFHcgfLYbal0Yd
 6KxYrXZ4M4h4mUHBNCX0xUnOimchusw0MX6b61xrnvwUWw08PeEp7XeNntl+KEQqJyXV
 BZiXHruoqSHwHawFreHdk4188FO3K1/715iFnkHj5VE0B6ImErSHtI/UEkAoBUEvrgAn
 MywaISMeLpJG9MgedaAMthiOXQ/eqMSo7J0meIGgO3ajE5NKnKByI+0ZQFe4VE5XviCz
 jy/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=OiKeeI7rYqQwNSlAg9TRKTEcntvFjYOssOYOHb3MWno=;
 b=Xccwm4CWHzSDvr7ta2PxWaKJNZx/0y47MoHfymD8Merei9huPaVPhuYvlg6knzV2Fe
 9Ob1h+O2ZWnEEcmyr356KDX0eDrRdqO+Qh2XyHk8a/FtHwqCPrlElZj5cpkPJ6Ph06d7
 eSRIhjV96mDuw/BbIYdrSw+vfRvbpQXpDW8lP8abAgZ8bRK7509HMbYGgrD6dye0N+pB
 ZwACQtqtkupHOeSbdItexOUMROctO+sKoKhXdkqlKag3F4Cc2G2Upzk+W7a+/wVJBAoA
 yBp/4VWMpPjjaye6bNtAo+B208KED6LZX82EdMCA514u+QLTcZnD6r8JFUutm/0/HJgt
 bU1A==
X-Gm-Message-State: AOAM532oWYKY1mrKcmYdtEGP4Nup0c9u1lpogoIkbNt5U5N28y88hXUa
 94EXdCEgkYzded6OfKdd4Fl66mHo
X-Google-Smtp-Source: 
 ABdhPJxumkKDfypiNyDWtH82vvyw19vVMpeZPubu3rLuCVZ3Th9R+HD01F7uCiU8IZFGFZT/BRsllg==
X-Received: by 2002:a5d:490e:: with SMTP id
 x14mr16650036wrq.375.1589772665803;
 Sun, 17 May 2020 20:31:05 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de.
 [188.193.171.87])
 by smtp.gmail.com with ESMTPSA id a21sm1011151wmm.7.2020.05.17.20.31.04
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 17 May 2020 20:31:05 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 18 May 2020 05:30:30 +0200
Message-Id: <20200518033033.27347-2-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200518033033.27347-1-andreas.rheinhardt@gmail.com>
References: <20200518033033.27347-1-andreas.rheinhardt@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 2/5] avformat/webmdashenc: Be more strict
	when parsing stream indices
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

The syntax of the adaptation_sets string by which the user determines
the mapping of AVStreams to adaptation sets is
"id=x,streams=a,b,c id=y,streams=d,e" (means: the streams with the
indices a, b and c belong to the adaptation set with id x). Yet there
was no check for whether these indices were actual numbers and if there
is a number whether it really extends to the next ',', ' ' or to the
end of the string or not. This commit adds a check for this.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/webmdashenc.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c
index 05015a08c1..250c8ca3ad 100644
--- a/libavformat/webmdashenc.c
+++ b/libavformat/webmdashenc.c
@@ -465,18 +465,18 @@ static int parse_adaptation_sets(AVFormatContext *s)
             state = parsing_streams;
         } else if (state == parsing_streams) {
             struct AdaptationSet *as = &w->as[w->nb_as - 1];
+            int64_t num;
             int ret = av_reallocp_array(&as->streams, ++as->nb_streams,
                                         sizeof(*as->streams));
             if (ret < 0)
                 return ret;
-            q = p;
-            while (*q != '\0' && *q != ',' && *q != ' ') q++;
-            as->streams[as->nb_streams - 1] = strtoll(p, NULL, 10);
-            if (as->streams[as->nb_streams - 1] < 0 ||
-                as->streams[as->nb_streams - 1] >= s->nb_streams) {
+            num = strtoll(p, &q, 10);
+            if (!av_isdigit(*p) || (*q != ' ' && *q != '\0' && *q != ',') ||
+                num < 0 || num >= s->nb_streams) {
                 av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n");
                 return AVERROR(EINVAL);
             }
+            as->streams[as->nb_streams - 1] = num;
             if (*q == '\0') break;
             if (*q == ' ') state = new_set;
             p = ++q;