From patchwork Thu Mar 18 16:14:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Derek Buitenhuis <derek.buitenhuis@gmail.com>
X-Patchwork-Id: 26448
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id CF9B544B793
	for <patchwork@ffaux-bg.ffmpeg.org>; Thu, 18 Mar 2021 18:22:03 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B0D1E68A141;
	Thu, 18 Mar 2021 18:22:03 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com
 [209.85.218.47])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 92FD0687F5A
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Mar 2021 18:21:57 +0200 (EET)
Received: by mail-ej1-f47.google.com with SMTP id hq27so4872159ejc.9
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Mar 2021 09:21:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=XC3aYmescINbqTiloqv9PaiRXcnDvABvdPbsGxL0SwE=;
 b=M8fDB70jlDjVtAaLfrI5asvzQ6REOYqrartWjhPjBU+1sq0Ax+lr4Esz4a3FT991kO
 ywPSZ+bWKudxXLqj6pLfG4Z2wlPzZ4+6xxkpA9STx5QVJGXwVXEDvAEzNyQZ7PfBXfU9
 eSdPjl7zUCWYW0oLYme0vOMQw1SvqTpz1ED7H8/wetvehqCCvzWzJCWcbpuGCJ1EwrIQ
 E0i9kPhAcr86/zrOujIWn9Q8a7fSEhzj+TXLuysx8CoUiLcTcrNrhk/abna029Rpoj7I
 Bgac5uxpsc5yb4dn5PBgiZHWzMDhKKR1LvBGaL2aXus7jP6J3DJuFEzK8zlFuw5Gp1Is
 J9XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=XC3aYmescINbqTiloqv9PaiRXcnDvABvdPbsGxL0SwE=;
 b=mU/RWRZQD96PN8I4VnWeZs7q4UIjaLbaROmRDhYSaJfXLfwilutip6kIp2e9OOutjK
 OBm5+6/XQN0GUYm74BZ5Zti9ud3hXdukeXmLm5QH0VUDRcoKBGLD4dqqdpFbgUWUFfEW
 pYlf+AB7nsP3d265CjKgdIN7bug4vx8zbqyBo+mXLEnDqPP28O6HKJt/iW+BKavzVRQg
 34PbqGjUB5G9T71Xvs1iZkssiSLo3rRpJB/asjQeZAhDRzfIH2wu+kUm19cDfKo3sW4x
 g2hURd7D8lNj4VzV55BE0NPOyo/PtYLNR7KtoIpVheEWXchkNXrj1P0upx2Yd3pPXQas
 s+cQ==
X-Gm-Message-State: AOAM531jT4gaxaoxNINw+HpbRvfWO1pU6eyVoVmoXOxrUwXA9W6HxlhK
 /2DrErVXH/UGEMoGqzfQr+kv+nQdXp4=
X-Google-Smtp-Source: 
 ABdhPJwI0zqOaFjDRO635Cc6CzT/NrRXWZ85/Yp8Tuh8VVpUszSQB3Sa9Q0dYKvhUwgUHHXbLh++WA==
X-Received: by 2002:adf:fac1:: with SMTP id a1mr90993wrs.98.1616084104921;
 Thu, 18 Mar 2021 09:15:04 -0700 (PDT)
Received: from localhost.localdomain ([82.129.110.36])
 by smtp.gmail.com with ESMTPSA id s3sm2709081wmd.21.2021.03.18.09.15.04
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Mar 2021 09:15:04 -0700 (PDT)
From: Derek Buitenhuis <derek.buitenhuis@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 18 Mar 2021 16:14:55 +0000
Message-Id: <20210318161456.1103652-1-derek.buitenhuis@gmail.com>
X-Mailer: git-send-email 2.30.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/2] avformat/mov: Fix extended atom size
	buffer length check
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

When extended atom size support was added to probing in
fec4a2d232d7ebf6d1084fb568d4d84844f25abc, the buffer
size check was backwards, but probing continued to work
because there was no minimum size check yet, so despite
size being 1 on these atoms, and failing to read the 64-bit
size, the tag was still correctly read.

When 0b78016b2d7c36b32d07669c0c86bc4b4225ec98 introduced a
minimum size check, this exposed the bug, and broke probing
any files with extended atom sizes, such as entirely valid
large files that start whith mdat atoms.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 97857789f4..33cfb42228 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7114,7 +7114,7 @@ static int mov_probe(const AVProbeData *p)
         if ((offset + 8) > (unsigned int)p->buf_size)
             break;
         size = AV_RB32(p->buf + offset);
-        if (size == 1 && offset + 16 > (unsigned int)p->buf_size) {
+        if (size == 1 && offset + 16 <= (unsigned int)p->buf_size) {
             size = AV_RB64(p->buf+offset + 8);
             minsize = 16;
         } else if (size == 0) {