From patchwork Sun Dec  6 03:09:33 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 24363
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id E33CD44A657
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun,  6 Dec 2020 05:09:48 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BA5E468A7B4;
	Sun,  6 Dec 2020 05:09:48 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com
 [209.85.218.68])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7AF6668A6E1
 for <ffmpeg-devel@ffmpeg.org>; Sun,  6 Dec 2020 05:09:42 +0200 (EET)
Received: by mail-ej1-f68.google.com with SMTP id qw4so14421162ejb.12
 for <ffmpeg-devel@ffmpeg.org>; Sat, 05 Dec 2020 19:09:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=IGJjUJOz7/dw29QLsio9JeCZnXsN3vb0NoP6VZNuzhE=;
 b=JkLsvfs/mQt8NDBZIAo0mljXynZOHZN+kQYYJHQ7P/xVi3siCLwntcqiPu0nw6mk6y
 IbXglKvulLXWYh9mFGY3zjR0cNU/MVRFhkDdKw86yXUgwjWNfFfvY7rV9fovaT469yPI
 CObgqxxsnZJ+Slmc5BxUQpia1c5tRkeGDDsa1WAzg3jUMbKXk3XgExYlZ17Ui6Dt8ijG
 g7IERUJBuPUT3VnqJREF6+EEQuj7lQrNwp+l4e5f8YmOZw+svapuIlsYuPpHPjdXpBse
 NP6dQcuoxw1+Io+nbkLxUriylcIMt06eeNNVHrUUj9xhj15Ha5agLGiouRdPhtm25ZDj
 6npg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=IGJjUJOz7/dw29QLsio9JeCZnXsN3vb0NoP6VZNuzhE=;
 b=eMAuvTuTHA3nlUBRqrxX59E7afdcXVmmmZk9ONJGcCY9Sy1xXsAFESWc03+PohDnMw
 52SOF9uTpQDBVJV1FOAE/6gWF2l33QqQQ++Z+1zTjw4C8ZXSUTVGewkSn9Xc17ZuwqHm
 P3RoBfu3h5S3Hwn6Ud3nKtthd/I38scGSdse2yt0e3Ii8CKVIYpASAhYD2TJ+WYaAbR0
 zOeOBupiYwUSsDnbTDEwqLpkoiUDY8bp4xQ4c3dVwPw0iDitvovidnQQa3LgfkFX5rv9
 F1iOoz0CJxb2kPFpZKIXGIo+wwnRUQ9cHAzN9vJJu7onS6ssl93jxj2EnQUI4KZ8/3+S
 wFMA==
X-Gm-Message-State: AOAM530JXIHi59mCKUIiPBgzerNdZ4Tj8eNp2ZYAOl1OWOKKqKfexl46
 KdxdljKWdA2dHNrla2/Ydupkii6n5uRoGg==
X-Google-Smtp-Source: 
 ABdhPJxDUMUMw4V+aGgY4Ftl6iWMZSBbGzxSGWuq4ISFo3fM1lynzB0KIp7CsSunK+BuT3Hj80qcgw==
X-Received: by 2002:a17:906:3a55:: with SMTP id
 a21mr13769425ejf.516.1607224181868;
 Sat, 05 Dec 2020 19:09:41 -0800 (PST)
Received: from sblaptop.fritz.box (ipbcc1aa4b.dynamic.kabel-deutschland.de.
 [188.193.170.75])
 by smtp.gmail.com with ESMTPSA id 3sm6804941ejn.7.2020.12.05.19.09.40
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 05 Dec 2020 19:09:41 -0800 (PST)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sun,  6 Dec 2020 04:09:33 +0100
Message-Id: <20201206030934.395352-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/2] avformat/framecrcenc: Don't read after
	the end of side-data
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Nothing guarantees that the size of side data containing a palette
is actually divisible by four (although it should be); but for
big-endian systems, an algorithm is used that presupposed this.
So switch to an algorithm that does not overread: It processes
four bytes at a time, but only if all of them are contained in
the side data.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/framecrcenc.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavformat/framecrcenc.c b/libavformat/framecrcenc.c
index a567b5299c..f7c48779a0 100644
--- a/libavformat/framecrcenc.c
+++ b/libavformat/framecrcenc.c
@@ -23,6 +23,7 @@
 
 #include "libavutil/adler32.h"
 #include "libavutil/avstring.h"
+#include "libavutil/intreadwrite.h"
 #include "avformat.h"
 #include "internal.h"
 
@@ -52,16 +53,17 @@ static int framecrc_write_packet(struct AVFormatContext *s, AVPacket *pkt)
     if (pkt->flags != AV_PKT_FLAG_KEY)
         av_strlcatf(buf, sizeof(buf), ", F=0x%0X", pkt->flags);
     if (pkt->side_data_elems) {
-        int i, j;
+        int i;
         av_strlcatf(buf, sizeof(buf), ", S=%d", pkt->side_data_elems);
 
         for (i=0; i<pkt->side_data_elems; i++) {
+            const AVPacketSideData *const sd = &pkt->side_data[i];
             uint32_t side_data_crc = 0;
             if (HAVE_BIGENDIAN && AV_PKT_DATA_PALETTE == pkt->side_data[i].type) {
-                for (j=0; j<pkt->side_data[i].size; j++) {
-                    side_data_crc = av_adler32_update(side_data_crc,
-                                                      pkt->side_data[i].data + (j^3),
-                                                      1);
+                for (int j = 0; j < sd->size / 4; j++) {
+                    uint8_t buf[4];
+                    AV_WL32(buf, AV_RB32(sd->data + 4 * j));
+                    side_data_crc = av_adler32_update(side_data_crc, buf, 4);
                 }
             } else {
                 side_data_crc = av_adler32_update(0,