From patchwork Sun Feb 21 01:40:59 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 25853
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 1862E449C88
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 21 Feb 2021 03:41:16 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DDB5E68A68F;
	Sun, 21 Feb 2021 03:41:15 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E1A3868A64E
 for <ffmpeg-devel@ffmpeg.org>; Sun, 21 Feb 2021 03:41:09 +0200 (EET)
Received: by mail-wm1-f45.google.com with SMTP id x16so10268201wmk.3
 for <ffmpeg-devel@ffmpeg.org>; Sat, 20 Feb 2021 17:41:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=h5ZNRrUrHeqZsinbkHn7eL0nNiDSTA8utrrNE9nUc78=;
 b=pnU3nqcL3WvyZhL8ar+qFHaBJNNwkBqnzN48PbQsjNqh5pgUiJCgnx9lhKSwV9qZv2
 FZIIykcCRSkCropjOG//VqE2SzpDOqFCLj91hnQq3p0e41xsCUupgHi/lD/ItXsIcGw3
 zvdUvshZfRK3MAVrqK75OTiyeQWVoNM3gQU0HyGWi3c4JHO5xDCt8EWLfSlA8b0f/THb
 isCxPEv10Ds2lJM9ME5o7w+tbQdtK9qV/TSyH3KqxSIqyjlNFhuOgwndwjxijqh99ztA
 3u5FtEaB3iusvxTt/U2Jnj0YcWXOjdPROus7yiedbGVuc3b/Mzmt5BFwSpVqy1jDS+6M
 tehg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=h5ZNRrUrHeqZsinbkHn7eL0nNiDSTA8utrrNE9nUc78=;
 b=oG9CxyanPt+MXyAteuS9aG6DQxdpCPJPHF1yh6P4QD5+BtHYiEK8sej4nfTTor2pZG
 wFr/df5qgaXTFp7HQ4fgLwaoFX4W2o8taH+49zw1mLxjv+aZjeFHmLcsPa6Wya5gaBBr
 k/VboRhpWTjSHCRupTsDoUhooDJKEuYiANsM0oQSGpZp45JUtSXaE+5WhbYsIwhRGunS
 0OBvDnmWaMQN2z3KibGgfGO9anwuj8lErgHJsMZDlQUT5PKDRFVZinRkRyW7bWq3USJY
 WiKqHX14Oxd17lJ/OzIUmmWsbbsDSW4IpS9n6EQjekJ5luKBipKDcXu7UcnoGNOAZMRR
 N4cQ==
X-Gm-Message-State: AOAM5326d4UNFGbxDas9C6tMBxCTnkU2OEQVqhNZFLx0RKfXoshvtJRB
 qEEAUoE2dhzJ9Q4Cjr+iku4BlmjK/Mg=
X-Google-Smtp-Source: 
 ABdhPJzk8E7yfaaaEg3pBU2/70bazDOCpd4a2562ZVQbbegGXK648/ncK0O6rQCWyJkzF+zfkqQnqg==
X-Received: by 2002:a7b:c1c4:: with SMTP id a4mr3832771wmj.123.1613871669240;
 Sat, 20 Feb 2021 17:41:09 -0800 (PST)
Received: from sblaptop.fritz.box (ipbcc1aa4b.dynamic.kabel-deutschland.de.
 [188.193.170.75])
 by smtp.gmail.com with ESMTPSA id z66sm20195597wmg.39.2021.02.20.17.41.08
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 20 Feb 2021 17:41:08 -0800 (PST)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 21 Feb 2021 02:40:59 +0100
Message-Id: <20210221014100.195627-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/movtextenc: Check for too many
	styles
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

The counter for the number of styles is written on two bytes, ergo
anything > UINT16_MAX is invalid. This also fixes a compiler warning
because of a tautologically true check on 64bit systems.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
A better solution would be to error out as soon as the byte length of a
subtitle exceeds UINT16_MAX; yet for this one would have to modify all
of ass_split to allow the callbacks to return errors.

 libavcodec/movtextenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c
index 1bef21e0b9..cf30adbd0a 100644
--- a/libavcodec/movtextenc.c
+++ b/libavcodec/movtextenc.c
@@ -355,7 +355,7 @@ static int mov_text_style_start(MovTextContext *s)
         StyleBox *tmp;
 
         // last style != defaults, end the style entry and start a new one
-        if (s->count + 1 > SIZE_MAX / sizeof(*s->style_attributes) ||
+        if (s->count + 1 > FFMIN(SIZE_MAX / sizeof(*s->style_attributes), UINT16_MAX) ||
             !(tmp = av_fast_realloc(s->style_attributes,
                                     &s->style_attributes_bytes_allocated,
                                     (s->count + 1) * sizeof(*s->style_attributes)))) {