From patchwork Mon Jul 20 07:32:49 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 21200
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 30A2B44AD32
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 20 Jul 2020 10:33:11 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0977968B9F3;
	Mon, 20 Jul 2020 10:33:11 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com
 [209.85.218.68])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6B8CB68B028
 for <ffmpeg-devel@ffmpeg.org>; Mon, 20 Jul 2020 10:33:04 +0300 (EEST)
Received: by mail-ej1-f68.google.com with SMTP id n22so14072248ejy.3
 for <ffmpeg-devel@ffmpeg.org>; Mon, 20 Jul 2020 00:33:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=J3yXZW+Z30vpaK/DKE1tleUu6sfEq9KJw1Wfoc1ZXFs=;
 b=XqBekAuoPpgWluNmyeepLL42OUYNQHjBrNWudkkElcFX4219weud2/qHHOz3/38s0Z
 /ghqaCVvFqjlzryo4hQnqhUDr+JdrBgnp/XWS1b6ty8Tx14AtgIdS0oMn0PvRnF1dzra
 O2Zs2l8yNq+UdJkj9t2UMH0yrZJZ1/AvF0KNFKXFkySFEcpdKdYztv+Np4L/vTp86XRt
 3CG+rXMTGD2RhPS2jv6pQdxjp3QbhQwuwyVl2+pQ1/a5NbRPk5P2eHYJZoLbOJ+b3/SO
 wL9epQ2z7DjNXFSll93/x5Kt08xikJQE1lJ3EtBNLiP0sE25K410GnV+x2mr+g0UotlV
 COVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=J3yXZW+Z30vpaK/DKE1tleUu6sfEq9KJw1Wfoc1ZXFs=;
 b=auAxI7gvJoS+1juo9WD1JxuJCTIXxYA0dDBm2wH9wJwj9ZLOL8HhOy3k8Ys0HSEz+S
 xur+vGAsJrVdg99qWsr1zCIu69peBnMkpAGOVULsrEXf0IZs5IBn6wQdF60Y99rGS2U2
 D/2Qgg5Ls+nYP1hFu8GwSU/4pInLbKJBUINOXmD5xkGKZuUF1IaC1CZFHqECla1Ei9mP
 Ds1v8woYQQQVUor+pJO6vFYw776fu41XLxIwU3L+P8MZzV08OxLtX6xOTf9ZC00MOIVG
 1bSvu9jbrAaKIGyTeEcC1qsbfLo+qpr5XTDwKfdZMeI3gvX1TGZS3TlX84/WtSNDG8y8
 9v4Q==
X-Gm-Message-State: AOAM532NtDJMoJhs/pNgMicGocedzIBItU2F+J25uegHs/JhXCmT9SST
 tugcMVnGWkIaBXf0qxbWP2tZnXMm
X-Google-Smtp-Source: 
 ABdhPJygZF7lEgWZNfjn8241gTr4Hs8b8pzwaz1eK/umqREfPClKpIyWYaYk2YeK3okPBtZu+soR9A==
X-Received: by 2002:a17:906:c002:: with SMTP id
 e2mr20251723ejz.244.1595230383284;
 Mon, 20 Jul 2020 00:33:03 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de.
 [188.193.2.150])
 by smtp.gmail.com with ESMTPSA id cd11sm14169674ejb.57.2020.07.20.00.33.02
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Jul 2020 00:33:02 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 20 Jul 2020 09:32:49 +0200
Message-Id: <20200720073249.32014-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avformat/matroskadec: Avoid undefined
	pointer arithmetic
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

The Matroska demuxer currently always opens a GetByteContext to read the
content of the projection's private data buffer; it does this even if
there is no private data buffer in which case opening the GetByteContext
will lead to a NULL + 0 which is undefined behaviour.
Furthermore, in this case the code relied both on the implicit checks
of the bytestream2 API as well as on the fact that it returns zero
if there is not enough data available.

Both of these issues have been addressed by not using the bytestream API
any more; instead the data is simply read directly by using AV_RB. This
is possible because the offsets are constants.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/matroskadec.c | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index cff7f0cb54..6abb5412de 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2162,30 +2162,26 @@ static int mkv_parse_video_projection(AVStream *st, const MatroskaTrack *track,
                                       void *logctx)
 {
     AVSphericalMapping *spherical;
+    const MatroskaTrackVideoProjection *mkv_projection = &track->video.projection;
+    const uint8_t *priv_data = mkv_projection->private.data;
     enum AVSphericalProjection projection;
     size_t spherical_size;
     uint32_t l = 0, t = 0, r = 0, b = 0;
     uint32_t padding = 0;
     int ret;
-    GetByteContext gb;
 
-    bytestream2_init(&gb, track->video.projection.private.data,
-                     track->video.projection.private.size);
-
-    if (bytestream2_get_byte(&gb) != 0) {
+    if (mkv_projection->private.size && priv_data[0] != 0) {
         av_log(logctx, AV_LOG_WARNING, "Unknown spherical metadata\n");
         return 0;
     }
 
-    bytestream2_skip(&gb, 3); // flags
-
     switch (track->video.projection.type) {
     case MATROSKA_VIDEO_PROJECTION_TYPE_EQUIRECTANGULAR:
         if (track->video.projection.private.size == 20) {
-            t = bytestream2_get_be32(&gb);
-            b = bytestream2_get_be32(&gb);
-            l = bytestream2_get_be32(&gb);
-            r = bytestream2_get_be32(&gb);
+            t = AV_RB32(priv_data +  4);
+            b = AV_RB32(priv_data +  8);
+            l = AV_RB32(priv_data + 12);
+            r = AV_RB32(priv_data + 16);
 
             if (b >= UINT_MAX - t || r >= UINT_MAX - l) {
                 av_log(logctx, AV_LOG_ERROR,
@@ -2209,14 +2205,14 @@ static int mkv_parse_video_projection(AVStream *st, const MatroskaTrack *track,
             av_log(logctx, AV_LOG_ERROR, "Missing projection private properties\n");
             return AVERROR_INVALIDDATA;
         } else if (track->video.projection.private.size == 12) {
-            uint32_t layout = bytestream2_get_be32(&gb);
+            uint32_t layout = AV_RB32(priv_data + 4);
             if (layout) {
                 av_log(logctx, AV_LOG_WARNING,
                        "Unknown spherical cubemap layout %"PRIu32"\n", layout);
                 return 0;
             }
             projection = AV_SPHERICAL_CUBEMAP;
-            padding = bytestream2_get_be32(&gb);
+            padding = AV_RB32(priv_data + 8);
         } else {
             av_log(logctx, AV_LOG_ERROR, "Unknown spherical metadata\n");
             return AVERROR_INVALIDDATA;