From patchwork Wed Mar 17 23:59:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 26437 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 8667A44A940 for ; Thu, 18 Mar 2021 02:00:37 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 69EC6689C0A; Thu, 18 Mar 2021 02:00:37 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6F1086899EB for ; Thu, 18 Mar 2021 02:00:30 +0200 (EET) Received: by mail-ej1-f45.google.com with SMTP id l4so1105315ejc.10 for ; Wed, 17 Mar 2021 17:00:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=DCwL+a8BTstxQXZ9jrL22oelxeMdiLos4a/lIsjT3Og=; b=rBqJ1kaecd6BQNLM7OZ64TzrKalrsmlw2qW58Iw2Zgjm3+twKDZ1icu7zBHt/8OVSg mKO+CoKRI/KlfJ09DvPAOI2AVelPvk+bgpwO8x1SOtw1sNeLENsiAOyj2teVghRAd9YU F6HAxpkq2saqLXiHVoejGRZmt3TGEchE6XwC3BC69dFTU23Pmej+R7lt9BaIIm3PzhkD eq9kNuzrisNpc89g+82DmMFSI8uM2XWxCKu4IsMIvWEtAZD4VYdJkKCOQmsAZLODPFMb G9nLzWtVuAgCtqmHmAEtyWcg1LKbPJ7XqJW7/vTtD2i1mOubiG+TlYBbsxzkzedntQKr DKNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=DCwL+a8BTstxQXZ9jrL22oelxeMdiLos4a/lIsjT3Og=; b=mEzcnzpct2+q+ZKVs8EsHX1JqwqdPI+X3XvjVx9SbJWUf9fwndSjxJI4Qt8xaPK9ti ixyt1T8NhQeEl5IIKsz0BW+NPFQqER2qjSEN97ouhYXdYbnxU6uQpl077gjamlTlraFl 0N2GEdkUGE63NaRlU8Vlue7qUaUMnYeny802JSklZ5YzcVpr/I3LOfIC6fSmtkfSbyU0 2PRWEmGiaM3Dd2dkEZYwArbOk5P4jdsta3JDWA3EhdXqHv2NKffHCwpyPrl8sEwe8ETp ZRd6oLkQYugQ8DzhiG3wYTlunIVCJNwFvs42UVp/ZKgXzwQ0ON5Ith5d4UNpbrm8ZsUC Kr3g== X-Gm-Message-State: AOAM531nyM+aShHQcOSarStjyc9TNLszFi1MrPe303q9DsJIenceJTUu 4Vk01CforoyOiCChdYVxRlb1xliTZhi8jg== X-Google-Smtp-Source: ABdhPJx51dykscg7Q5rJNxCgzy/udDUDbAjV+eXPO7wJClHKG9gEuv+nkeBqmXAH6OSonrp1EK7EgQ== X-Received: by 2002:a17:906:2314:: with SMTP id l20mr38858468eja.178.1616025629747; Wed, 17 Mar 2021 17:00:29 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc08960.dynamic.kabel-deutschland.de. [188.192.137.96]) by smtp.gmail.com with ESMTPSA id u24sm326881ejn.5.2021.03.17.17.00.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Mar 2021 17:00:29 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 18 Mar 2021 00:59:57 +0100 Message-Id: <20210317235958.1308987-4-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210317235958.1308987-1-andreas.rheinhardt@gmail.com> References: <20210317235958.1308987-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 4/5] avformat/matroskaenc: Check WebVTT subtitles for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The destination here is an dynamic buffer which is restricted to INT_MAX, so check for that. Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 5d8d4cd646..4931988efd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2133,7 +2133,7 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac mkv_track *track = &mkv->tracks[pkt->stream_index]; ebml_master blockgroup; buffer_size_t id_size, settings_size; - int size; + int size = pkt->size + 2; const char *id, *settings; int64_t ts = track->write_dts ? pkt->dts : pkt->pts; const int flags = 0; @@ -2141,12 +2141,17 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); id = id ? id : ""; + if (id_size > INT_MAX - size) + return AVERROR(ERANGE); + size += id_size; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); settings = settings ? settings : ""; + if (settings_size > INT_MAX - size) + return AVERROR(ERANGE); - size = id_size + 1 + settings_size + 1 + pkt->size; + size += settings_size; /* The following string is identical to the one in mkv_write_block so that * only one copy needs to exist in binaries. */ @@ -2170,7 +2175,7 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac put_ebml_uint(pb, MATROSKA_ID_BLOCKDURATION, pkt->duration); end_ebml_master(pb, blockgroup); - return pkt->duration; + return 0; } static int mkv_end_cluster(AVFormatContext *s) @@ -2341,7 +2346,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, const AVPacket *pkt) } } else { if (par->codec_id == AV_CODEC_ID_WEBVTT) { - duration = mkv_write_vtt_blocks(s, pb, pkt); + ret = mkv_write_vtt_blocks(s, pb, pkt); + if (ret < 0) + return ret; } else { ebml_master blockgroup = start_ebml_master(pb, MATROSKA_ID_BLOCKGROUP, mkv_blockgroup_size(pkt->size,