From patchwork Wed Sep 15 12:58:11 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Jorge Dato <nicolas.dato@gmail.com>
X-Patchwork-Id: 30257
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp254283iov;
        Wed, 15 Sep 2021 05:58:48 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJz538kTcRkS7eAj4FMpzZHiJet5nnEOzBWkS3rFwi3JB8w39OHWtOgsoXuHd1H5ANSqnT/T
X-Received: by 2002:aa7:c38c:: with SMTP id k12mr23402738edq.45.1631710728185;
        Wed, 15 Sep 2021 05:58:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631710728; cv=none;
        d=google.com; s=arc-20160816;
        b=YMBwMwjDllrZAAoPn0xKhtboqlufpqOLQw4/zbVz5jXD5mCUlDjW2iQHlHOT83oTqE
         KM/w97DaE2Di9wsm0YyZnnBBfFSw6pmXovRLmjFIhaqg8P5ApwTT7/gpMtF0QYNpfiQh
         sCTnfv8O1mpoKBjqsWsfYYPnmJkssD3//xKv7M88CSIk+YH2D8fagNLOTpJRemcFB/Ed
         odedfBptwLpvOeh6s6U2br6NWGLDPRteL5ERlJQlt7VjMobSW8tHMhB7zPxP7JpFPizj
         uoiKq055dzwOfsxi7ZyEwRx387t5H7/cwZvg3pM82qsoEqBLK1+td2GBUUeLH4ox+9iw
         Nq6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:message-id:date:to:from
         :dkim-signature:delivered-to;
        bh=xF/Ibg0cS2Ycn4Rb/f1uWedP6SfYnEsh+EwHsLA3vP4=;
        b=fjvaW27lTGvXl/6O7HLvgz8O7ifO6vFHvEi9bRF5Eh5HDl9VuVg81ypRjPS+hiibZU
         iDTTyp0XBLXSUdrPM40V8vsF4WXdpaX68Xro9WmqPmDQf+nzJfl+ts/ltPdmkss98TS5
         EJ8pb7jKn6F+YJcNScqyQkXQszqSS1Xynf9akmLf6ZFsZihioaRyXyHGTR+grCBFSpL4
         fesfsm8JDDjIlxu5jXgVZQ+WmaDBoHMq9Nd7iFQnFmSrkzjVURpxbL4YGwd7onoLncnf
         NYep4fzOPTmQAXfAEg0834A3rSuXaWhfJ7QWrNSCi9/N/uqrM+a1yHJqW6eWPiTyAsBR
         ZAbA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=HwaVYLqs;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 c29si10441636edj.67.2021.09.15.05.58.46;
        Wed, 15 Sep 2021 05:58:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=HwaVYLqs;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C6A4968A94C;
	Wed, 15 Sep 2021 15:58:42 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com
 [209.85.219.41])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5A071688043
 for <ffmpeg-devel@ffmpeg.org>; Wed, 15 Sep 2021 15:58:36 +0300 (EEST)
Received: by mail-qv1-f41.google.com with SMTP id 93so1779547qva.7
 for <ffmpeg-devel@ffmpeg.org>; Wed, 15 Sep 2021 05:58:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=+f0Ol0CHYT14B9+nQoOBN9SG5bE8XbeeOTHp4C5I7qM=;
 b=HwaVYLqsHlXtE6OzmX05L7PoFqnaeAavD4Bqrkl6flrFkWRPVS/idbH4vEwG8jHnrK
 bnNUnic/8R44QmjFhmRrKZFFBFXxcEjanU283LEhCvnWG5ysTfbCvgNfXIdECK4ZOTie
 COZeTpNjG0kmcttGDL76fLf6V+ei6xLLlMO77kHiwfWz0a4ETW9qlgoa7wAMr7uq+Ddr
 qYf8Mycd6qXrr/g9brcBPvsU7vZj5THg/Sj+I3mTl7Iu30dnhdSa1MxTI+ZiWUDQeIaP
 HyQFwsvsklv7bDsQ01QpLPJy9kbOg+3K/TKR4B86zX5oWlyK8wVzqDG6zsVo89xy/3et
 3lWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=+f0Ol0CHYT14B9+nQoOBN9SG5bE8XbeeOTHp4C5I7qM=;
 b=WMjiSARjm9EDHdcRsud5pUVqSyxiPy9Ec4O/ZYD/mnZEzZO4IDWEC191Z914I6Kcng
 kj9rPHrjxa3lDEtbM5CIF2BeK55jCvswF+0wWGeOFoFh0b/LdXl9//Xg8zcJbv3BmHhp
 dA/TOiiq5tYvl8f9/swF4IVpyCXTHTv9MlMMBJWwvHRRBfAbz31Ly3ddBmAbN88Mf96W
 w1eGwRoNuhf5o68gvuox1+3mZYUxwMNPm2UpiEtkw2UK4wb6rPQ2GadUhkSvBDQtnQM8
 Kd9INs72p4T9D3PVss/XzP4pt2veUWyNETpYsm07tF/oxwZO98qE0o8Xz5GRz1UCrPAw
 dcLw==
X-Gm-Message-State: AOAM532c/jEfIP7/o1lWLzcczBkzAqXFxBtwLDmyxXg1Da3yROQJPVfK
 UGhjexthagSusnGm8WPCxAKkEqaiX8l0kw==
X-Received: by 2002:a05:6214:584:: with SMTP id
 bx4mr10851983qvb.40.1631710714658;
 Wed, 15 Sep 2021 05:58:34 -0700 (PDT)
Received: from localhost.localdomain ([190.246.222.136])
 by smtp.gmail.com with ESMTPSA id q192sm9753016qka.93.2021.09.15.05.58.33
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 15 Sep 2021 05:58:34 -0700 (PDT)
From: Nicolas Jorge Dato <nicolas.dato@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 15 Sep 2021 09:58:11 -0300
Message-Id: <20210915125811.12314-1-nicolas.dato@gmail.com>
X-Mailer: git-send-email 2.33.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v3] avformat/mpegts: fixes overflow when
 parsing the PMT
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Nicolas Jorge Dato <nicolas.dato@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: RpPfLW+Q/e/N

When a possible overflow was detected, there was a break
to exit the while loop.
However, it should have already substracted 2 bytes from
program_info_length (descriptor ID + length).
Ticket #9422
---
 libavformat/mpegts.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index fe89d4fb9f..f4e95d21fd 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -2346,10 +2346,11 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
 
         av_log(ts->stream, AV_LOG_TRACE, "program tag: 0x%02x len=%d\n", tag, len);
 
-        if (len > program_info_length - 2)
+        program_info_length -= 2;
+        if (len > program_info_length)
             // something else is broken, exit the program_descriptors_loop
             break;
-        program_info_length -= len + 2;
+        program_info_length -= len;
         if (tag == IOD_DESCRIPTOR) {
             get8(&p, p_end); // scope
             get8(&p, p_end); // label