From patchwork Sat May 30 16:05:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 19991 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 1B9BA44A6AD for ; Sat, 30 May 2020 19:06:22 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 02C2768A953; Sat, 30 May 2020 19:06:22 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AE0A168A953 for ; Sat, 30 May 2020 19:06:14 +0300 (EEST) Received: by mail-wr1-f66.google.com with SMTP id l11so7259280wru.0 for ; Sat, 30 May 2020 09:06:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=A3wTP00qmlo44bNPlpG2GF5jHjok66mMdeSupQnCmJw=; b=tyoPNv4N9/03TKQ2zmLqXyy/trTeu9B1dgOXL7RfYtHAyMIoQyEkaDqdPrlNWHXmN0 vKGVpjq9ipNnq0KLEGzc0ydebAkNUEjZED36VZKmM8J0TfUbU7VyYXtEZPQc6zERT9IL 6/igLye+m3Iu9Cfj2qzi61igzV5YhUMbdGG64NvHIku4kl3qEGUBzQQdb71aLnDtvgHx jhNsLh7dr1E3BStsWA20I3qcShIWtO8RvnK2Oiqp4IkzO7wTjhG74kv+rTPXMrJ1RydF ZTSOsjoYCtnOM8uW2lQtJxqg7YWiNFJSHul+Xn5JwqHVrg62jEqhXzjGt2PFPW64AO7o MYtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=A3wTP00qmlo44bNPlpG2GF5jHjok66mMdeSupQnCmJw=; b=DOeOdJJ54ftXWFqdzAKMasffPglBRZp1NHGEFPc/0qmGmX+QdJiHN+AfDNHT+XSpId RBwrq//YbZz1YHNYI6O+1Ta56yr2Dpb4Rrl9MSBeE2uR+vfKQEnVglcFY5VUalKWOJBr ueMAs8ScdxUbcFi5rT9PVvBgGs4EFzFfNVpPsHUe0srg3SuTdXwPV/TtzSuHgSPweJJf z8uzhd66IeTRcYBEnsdhScwNntQqyvvgmEoNgORVHR3vLqLqtGhpJG3tYBzfnlCa8Ga+ V9ovjawU4LP7jAor5mppJfiVSNCrTS/6P1oO2h3EC/HO5WMzhDzxfb7mWKBTA+pGSUGl /bHQ== X-Gm-Message-State: AOAM5309cJegrKTMuQnPLwwLCC+X4HGRQ3PIKhRjVZEFtqIRpza1mod1 M0qxwH8cXt4L48bogdxs2BYPtdau X-Google-Smtp-Source: ABdhPJyFqnqd+RJUKkfYfDUxezlOqL5GUyEbyD6wSgz2b+r1vBBsBWbWqBXHGiwZvSNeQnnL/X8eHw== X-Received: by 2002:adf:f84d:: with SMTP id d13mr12887541wrq.99.1590854773883; Sat, 30 May 2020 09:06:13 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id v27sm15186517wrv.81.2020.05.30.09.06.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2020 09:06:13 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 30 May 2020 18:05:09 +0200 Message-Id: <20200530160541.29517-4-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200530160541.29517-1-andreas.rheinhardt@gmail.com> References: <20200530160541.29517-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 04/36] avcodec/vp9_superframe_bsf: Check superframe size for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This is not dangerous now, because init_get_bits8() already restricts the size of each packet to INT_MAX/8 - AV_INPUT_BUFFER_PADDING_SIZE. But it is nevertheless better to check this explicitly. Signed-off-by: Andreas Rheinhardt --- libavcodec/vp9_superframe_bsf.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp9_superframe_bsf.c b/libavcodec/vp9_superframe_bsf.c index f330970acc..a8b58a7fd3 100644 --- a/libavcodec/vp9_superframe_bsf.c +++ b/libavcodec/vp9_superframe_bsf.c @@ -42,10 +42,11 @@ static void vp9_superframe_flush(AVBSFContext *ctx) } static void stats(AVPacket * const *in, int n_in, - unsigned *_max, unsigned *_sum) + unsigned *_max, uint64_t *_sum) { int n; - unsigned max = 0, sum = 0; + uint64_t sum = 0; + unsigned max = 0; for (n = 0; n < n_in; n++) { unsigned sz = in[n]->size; @@ -61,15 +62,18 @@ static void stats(AVPacket * const *in, int n_in, static int merge_superframe(AVPacket * const *in, int n_in, AVPacket *out) { - unsigned max, sum, mag, marker, n, sz; + unsigned max, mag, marker, n; + uint64_t sum; uint8_t *ptr; int res; stats(in, n_in, &max, &sum); mag = av_log2(max) >> 3; marker = 0xC0 + (mag << 3) + (n_in - 1); - sz = sum + 2 + (mag + 1) * n_in; - res = av_new_packet(out, sz); + sum += 2 + (mag + 1) * n_in; + if (sum > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) + return AVERROR(ERANGE); + res = av_new_packet(out, sum); if (res < 0) return res; ptr = out->data;