From patchwork Wed Mar 17 23:59:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 26434 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 8E03E44A940 for ; Thu, 18 Mar 2021 02:00:15 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 75663688152; Thu, 18 Mar 2021 02:00:15 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 37B4F687ED6 for ; Thu, 18 Mar 2021 02:00:09 +0200 (EET) Received: by mail-ej1-f45.google.com with SMTP id u5so1106047ejn.8 for ; Wed, 17 Mar 2021 17:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:reply-to:mime-version :content-transfer-encoding; bh=gj7+D+52LKQod0/xroB/AIM8dVjC1MkNQu2GZb+ooP8=; b=sIH7/DZIHGPDMTDOxilTdUgi3Gmg26MtbhgIHDFEpuGe8uXa6zXWa0i21j/ImPj42M h03pMlZdEpRrneccWN2z8KPGRG5m1Uf6WjRopO7XHBEaqe0+Pjt48FmDsYqFKIy0FKVW 9j1k94LBb07wOt839qY4LZuoybJ7jMDZGkDYG0wvD0kuAbEKiSJE7VbwaKI/jZYdN3gB SjS6KvHe6iBuxOyIxq2vb21HrjwHW47rcqj8r1Db2OIxkYT3gQSimGbopWMyLcY4ayNd 8/QOeQa74gQweMMahzeUKVqXYvL2aVLJc95BOI+TiF3RQloxVEhfKP9WV2a+L7fYizeG fuCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :mime-version:content-transfer-encoding; bh=gj7+D+52LKQod0/xroB/AIM8dVjC1MkNQu2GZb+ooP8=; b=jVHqWQob5RqPDFDDQ7d0PNo5PaXECQCUuJgJS/naQlfaO/5KbgSOqIYTjBLWC4VhY3 txppVGMuQ2LTrGulQtJy2EHxBplIV7mbl3N1zOVu97pt/T9s06g4Lk1R5ZUsb+VEqZca wiu9kmH/b6AfIq2wRQMUYH8JAVAuWR0/t5XWCgpmGbBviYFlGHO2CxmA9uhGTQ4A/FPo BxUCwTkz2dCuMd7ZJD+NGzU1+LfII9dg73qir7Snp4w1B/lW9NmaFKzxrGr1upM0epQC lRwvqeit9Xl+vZ68lbHEgeyHVK/J1PlhINWGj7qgGrFCYB9Dem2KC5yp08isJCxpBOV1 cisQ== X-Gm-Message-State: AOAM531NrRQ9I2R3Noxtty+VzbaeRCuwbeAWGPfS5sbUnA+fOq92y7tE pbyEcoEBD4mIB+Ukq+pdTbaSKLrB5pO2sg== X-Google-Smtp-Source: ABdhPJzQVsGrQg+4V9k6GpzxusApQEF0UH8hL6Sj8n/3H7cKuDbIl50egmO24BcvOZU3qXL4v9Efjg== X-Received: by 2002:a17:906:b20b:: with SMTP id p11mr38814677ejz.0.1616025606934; Wed, 17 Mar 2021 17:00:06 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc08960.dynamic.kabel-deutschland.de. [188.192.137.96]) by smtp.gmail.com with ESMTPSA id u24sm326881ejn.5.2021.03.17.17.00.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Mar 2021 17:00:06 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 18 Mar 2021 00:59:54 +0100 Message-Id: <20210317235958.1308987-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/5] avcodec/avpacket: Improve overflow checks when packing dictionary X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Also avoid reallocations. Signed-off-by: Andreas Rheinhardt --- libavcodec/avpacket.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 6840688b15..8f0850fb00 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -509,37 +509,37 @@ int av_packet_split_side_data(AVPacket *pkt){ uint8_t *av_packet_pack_dictionary(AVDictionary *dict, int *size) { - AVDictionaryEntry *t = NULL; uint8_t *data = NULL; *size = 0; if (!dict) return NULL; - while ((t = av_dict_get(dict, "", t, AV_DICT_IGNORE_SUFFIX))) { - const size_t keylen = strlen(t->key); - const size_t valuelen = strlen(t->value); - const size_t new_size = *size + keylen + 1 + valuelen + 1; - uint8_t *const new_data = av_realloc(data, new_size); + for (int pass = 0; pass < 2; pass++) { + const AVDictionaryEntry *t = NULL; + size_t total_length = 0; - if (!new_data) - goto fail; - data = new_data; - if (new_size > INT_MAX) - goto fail; - - memcpy(data + *size, t->key, keylen + 1); - memcpy(data + *size + keylen + 1, t->value, valuelen + 1); + while ((t = av_dict_get(dict, "", t, AV_DICT_IGNORE_SUFFIX))) { + for (int i = 0; i < 2; i++) { + const char *str = i ? t->value : t->key; + const size_t len = strlen(str) + 1; - *size = new_size; + if (pass) + memcpy(data + total_length, str, len); + else if (len > INT_MAX - total_length) + return NULL; + total_length += len; + } + } + if (pass) + break; + data = av_malloc(total_length); + if (!data) + return NULL; + *size = total_length; } return data; - -fail: - av_freep(&data); - *size = 0; - return NULL; } int av_packet_unpack_dictionary(const uint8_t *data, int size, AVDictionary **dict)