From patchwork Sun Sep 20 16:16:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 22530 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id E27A144BA89 for ; Sun, 20 Sep 2020 19:17:11 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C653868B97C; Sun, 20 Sep 2020 19:17:11 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 282C568B893 for ; Sun, 20 Sep 2020 19:17:05 +0300 (EEST) Received: by mail-wr1-f68.google.com with SMTP id o5so10272976wrn.13 for ; Sun, 20 Sep 2020 09:17:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:reply-to:mime-version :content-transfer-encoding; bh=kfykmD1OqKtNqbVpHloY8OTtujG4IQRaaJ/5XyBnn+E=; b=tkTaZRRFN0WZBBWzcQYS7ydhOKaZR1KoHyPD566SlRz5pIGMaayKoqI1EQmbGeYH5B vT/CAGQvaxIpruaOQZntnkLnnR78W7V3E7FxulOVwxj4XkJJ9o600WjoFOfiTT9m9gAy VPW5V7TBqubecYFa7jqiJSEKzAAI8G4wo9eCQ8qd0bmC5O0MVJYVKBN/aQCEnIWbASiR B8Gugl9bUMXkxEBuEB6XE6ESEH6j61mleyKWkavo1Dg8O5I4AKeBqbJps61oEu1T89R/ BTLX63epHdPVqS9nFwgnAmGy7cNc1A99mY1jT97YG5I0QncZHg41sX3Cr8xVwovYz2A7 MzHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :mime-version:content-transfer-encoding; bh=kfykmD1OqKtNqbVpHloY8OTtujG4IQRaaJ/5XyBnn+E=; b=Pbp0t3MGYdbJmJ2cGCQRunBK1L4vADGr0nxpBbdUOw1flQwsTJb4KFYRW0nRDdZ5C6 g6q3cMj5sfz/C+6xPRIApP5xGsxYwLsWZBc13GLLgbzSuZlxeDcjmDi5wRRWsz5S0NNv OPOWPXbIt3VLgH9ECfAwC4MjA2br+pS/ltqozm5UZQrFtjWTdAfY3LFJOr1IOn1mi8Rx gh++XpeCjp3QHdOJlDs7cfjICCp53iJK0ZrVs20GmLt9z0Q4BNGGisMkQxiW6sU3lu/p f2+a99y7+RHy/Agkq/kALuvLHnzr21ox/kCyrIkYmfEmWOB69v/c6cKGGayaQMzjrpzM 0Y/g== X-Gm-Message-State: AOAM533mtXtQf96Hxss7q1BNv3x3m5rfHi2ezdFnNBhi0uzSI0cO4QKj ai+exOzghkJni2+TnHG0FUHbIlk1g0Y= X-Google-Smtp-Source: ABdhPJz07W3ok/8PA5UuV8z1BRb/5k/hps6Twnl/9Q/dY1bYrd3Pu0AkWnKVQZzwEcg7Y8dA1W6N8Q== X-Received: by 2002:adf:e4cf:: with SMTP id v15mr47637645wrm.174.1600618624270; Sun, 20 Sep 2020 09:17:04 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1fb0f.dynamic.kabel-deutschland.de. [188.193.251.15]) by smtp.gmail.com with ESMTPSA id z9sm15715100wmg.46.2020.09.20.09.17.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Sep 2020 09:17:03 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 20 Sep 2020 18:16:57 +0200 Message-Id: <20200920161657.1979613-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/aaxdec: Fix potential integer overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The AAX demuxer reads a 32bit number containing the amount of entries of an array and stores it in an uint32_t. Yet when iterating over this array, a loop counter of type int is used. This leads to undefined behaviour if the amount of entries is not in the range of int; to avoid this, it is generally good to use the same type for the loop counter as for the variable it is compared to. This is done in one of the two loops affected by this. In the other loop, the undefined behaviour can begin even earlier: Here the loop counter is multiplied by an uint16_t which can overflow as soon as the loop counter is > 2^15. Using an unsigned type would avoid the undefined behaviour, but truncation would still be possible, so use an uint64_t. Also use an uint32_t for a variable containing an index in said array. This fixes Coverity issue #1466767. Signed-off-by: Andreas Rheinhardt --- This is untested as I could only find out that this is a gaming format. libavformat/aaxdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index cfd2e10a15..3db6e9bc6d 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -51,7 +51,7 @@ typedef struct AAXContext { int64_t strings_size; char *string_table; - int current_segment; + uint32_t current_segment; AAXColumn *xcolumns; AAXSegment *segments; @@ -239,7 +239,7 @@ static int aax_read_header(AVFormatContext *s) flag = a->xcolumns[c].flag; col_offset = a->xcolumns[c].offset; - for (int r = 0; r < a->nb_segments; r++) { + for (uint64_t r = 0; r < a->nb_segments; r++) { if (flag & COLUMN_FLAG_DEFAULT) { data_offset = a->schema_offset + col_offset; } else if (flag & COLUMN_FLAG_ROW) { @@ -330,7 +330,7 @@ static int aax_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->pos = avio_tell(pb); - for (int seg = 0; seg < a->nb_segments; seg++) { + for (uint32_t seg = 0; seg < a->nb_segments; seg++) { int64_t start = a->segments[seg].start; int64_t end = a->segments[seg].end;