From patchwork Sat May 30 16:05:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 20006 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 3AB0544A43F for ; Sat, 30 May 2020 19:09:06 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 32BFF68B074; Sat, 30 May 2020 19:06:42 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com [209.85.128.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D408F68B028 for ; Sat, 30 May 2020 19:06:32 +0300 (EEST) Received: by mail-wm1-f67.google.com with SMTP id l26so6704571wme.3 for ; Sat, 30 May 2020 09:06:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=TlgiCBav88bjQr82Fhhh2UBddHWbuqLJrF/Nqo5+gxc=; b=bTlHfJAP5MlKnql1/Ku7gmOJ04uTi2CaYZwBfi/d6wPBFL7TiVpP38twriSje16Thb XL2S/vW7XzyG1nhZSnlwlSUXtL7EizZGHZ1SyNfAg6GpEW9/Y+wZsq7ArBnOMVTn8rhs 6IM2D0QWGRkpVxjKaj1NKDzywkzpXULZoclG+th75pHQnXCPUiobmNX01nFgBXs9XTA+ vmiD1pQlaj22kOqdm1QgczSRs3HPhKdryZrveeLbmTts76tanBu41vpbBoYo+TzC18SZ uFa/nTM8wsSloeAGZqvVBIt/zBMgqctjZID7I1OybJfEcPZktddk0oEqqKRVA0IJWb8B I01Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TlgiCBav88bjQr82Fhhh2UBddHWbuqLJrF/Nqo5+gxc=; b=fNENcjZEtdD9ruNhKxyZm3rIWrSzY4/H1/I51ZoKXT7kalWKd7aMCqWuIQ5wD4ShIh qT68kwfq0b57zKwhPHBD16Ez5Wh6LMVOp5bCEW1GvlHb6N1phmJzazjRJ72PxIc+KRpa 7ev0gaWZgm52jyGw/wmmFIlstgVJoK7OG+5MJ0NqmJ0D/DUHKEctXLr9YTel8Nz8Zmjs BMcta7bZ+w+iwQlDtoxWXQMyUidIXZeAHpzpjnqhdjicymkeWvlmtSYPS8VtIuuuK6Wu a4Buj1s/NdJEFEl/w2B9jqYK4+35WWggWpISOv3uJVpTeH1UIp5oxcKwmQ10ulFdEsNX j8jA== X-Gm-Message-State: AOAM533YcduxKLGxwaPKzsi0YKmAp6E2d6Kxpdo+sYZOZX3vTC1O7xpP CYgIaVJTneD4StcIMUeg9dorEXk4 X-Google-Smtp-Source: ABdhPJwrvzr1J+Ph5Es+LBolgycLOUTNKQIS1o/YROvf4qUdFu5gpxojZfX6DF7doRRbUh0Qu3sb5Q== X-Received: by 2002:a1c:1904:: with SMTP id 4mr13221178wmz.125.1590854791879; Sat, 30 May 2020 09:06:31 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id v27sm15186517wrv.81.2020.05.30.09.06.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2020 09:06:31 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 30 May 2020 18:05:22 +0200 Message-Id: <20200530160541.29517-17-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200530160541.29517-1-andreas.rheinhardt@gmail.com> References: <20200530160541.29517-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 17/36] avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit is so big that it extends beyond the end of the input packet; it does so only implicitly by using the checked version of the bytestream2 API. But this has downsides compared to real checks: It can lead to huge allocations (up to 2GiB) even when the input packet is just a few bytes. And furthermore it leads to uninitialized data being output. So add a check to error out early if it happens. Also check directly whether there is enough data for the length field. Signed-off-by: Andreas Rheinhardt --- libavcodec/hevc_mp4toannexb_bsf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index a880d9ba9a..ba1deb2848 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -142,10 +142,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); - if (nalu_size < 2) { + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { ret = AVERROR_INVALIDDATA; goto fail; }