From patchwork Sat May 30 16:05:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 19995 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 1ECF444A6AD for ; Sat, 30 May 2020 19:06:29 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EC9D168AF22; Sat, 30 May 2020 19:06:28 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6F56468AB98 for ; Sat, 30 May 2020 19:06:18 +0300 (EEST) Received: by mail-wm1-f68.google.com with SMTP id r9so6704346wmh.2 for ; Sat, 30 May 2020 09:06:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+uQBKEE7MNB3VE3pN68H25c/a3cfXlXIUN4GnAiFagE=; b=p5e4iR7kGgtQL79kNvZ4YBSqHHsotaGJURf6wJND08w8PQgct33164obkndEhImWr4 oqq6riDZNWSgnIpzMuEnaTGJxOxfYnB+WOvihJmN/RdSoShqYEXuhAqGUPYGgvV+Fbo/ AvLVSq6/FiTQATsXYQv5wC6ltoZdh1O/bzkIjLu3DV+KYnK7L2UmlM8BHLqi7NUsOZz3 D1llvdxkltcszf9QlXar4nDg56OoUgRoy/IlTLDZ+QHz2seM1jsIuyzeFTOEiJJMRwln vK1I9ks5D0vjd43bxi/kCC/STU7ZznRTjHUtRRFgsq5VnKjmX0bGOrgHU1uZpZUAzuW9 JDnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+uQBKEE7MNB3VE3pN68H25c/a3cfXlXIUN4GnAiFagE=; b=jrdVEXkvSYo6JDXawJdGosyjolxh+3wniR35JwoEozsM5ZB/9A5QEpJE3HxYWz1HF1 sHCuiwkr96PMF6G0O3JakI+xJuaJZdweBBQSwJ6VkxOEE3dJ5UYJ7boZQyU/2g1cvJz+ OjRgD3Xu+4SOM+n+7fIPFOmcBNsBM48AfErHSu2RU4Y0iKDf6sKFUnUpQT5dSXikZABW Pjw4HNowQrNYMCAS4taPrLc5vuIvDRq7V7f8ntPkMLef15/74RPKtfU8Mrijt2sSNrzo jtI5fse0LZ0gwGbUf4AuZYG8EWZjUaHPvdP8hgUAQakDnt2ZlRFsE5Q0u+iuHgfiCQaH JzBw== X-Gm-Message-State: AOAM531fdzLhQPSb6XSlU/ad1FmgDCI60zlD4rJwb1AY0CuwhtBL3E5w KrtkGa8DFWwO5/6Eu+sFtDd8sA/6 X-Google-Smtp-Source: ABdhPJxMGk6NdVUx5F9E8tf2RIKCOhJ9AbIJrw1GA4wo7QLs3AsD/Lig30edJZ+SLO644BaMqmG6tA== X-Received: by 2002:a1c:b654:: with SMTP id g81mr13464596wmf.128.1590854777552; Sat, 30 May 2020 09:06:17 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id v27sm15186517wrv.81.2020.05.30.09.06.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2020 09:06:16 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 30 May 2020 18:05:12 +0200 Message-Id: <20200530160541.29517-7-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200530160541.29517-1-andreas.rheinhardt@gmail.com> References: <20200530160541.29517-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 07/36] avcodec/vp9_superframe_split_bsf: Discard frames with size zero X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" They are invalid in VP9. If the packet given to the bsf has a size of zero, it would try to access pkt->data[-1] which could lead to segfaults. And if any of the frames inside a superframe had a size of zero, the code would either read into the next frame or into the superframe index. Signed-off-by: Andreas Rheinhardt --- libavcodec/vp9_superframe_split_bsf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c index ed0444561a..6ebecfa8ae 100644 --- a/libavcodec/vp9_superframe_split_bsf.c +++ b/libavcodec/vp9_superframe_split_bsf.c @@ -51,6 +51,11 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) return ret; in = s->buffer_pkt; + if (in->size <= 0) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + marker = in->data[in->size - 1]; if ((marker & 0xe0) == 0xc0) { int length_size = 1 + ((marker >> 3) & 0x3); @@ -70,7 +75,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) frame_size |= bytestream2_get_byte(&bc) << (j * 8); total_size += frame_size; - if (frame_size < 0 || total_size > in->size - idx_size) { + if (frame_size <= 0 || total_size > in->size - idx_size) { av_log(ctx, AV_LOG_ERROR, "Invalid frame size in a superframe: %d\n", frame_size); ret = AVERROR(EINVAL);