From patchwork Wed Feb 16 08:40:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiasheng Jiang X-Patchwork-Id: 34333 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6838:90eb:0:0:0:0 with SMTP id a11csp1030857nkf; Wed, 16 Feb 2022 00:40:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJx6LhhiJuNjUZhzj2GbkxM5stTu/hBUobii5dOaqhWBMChSjLyqQl532dOwMLBdMNUrBOty X-Received: by 2002:a17:906:6158:b0:6ce:61d6:f243 with SMTP id p24-20020a170906615800b006ce61d6f243mr1416816ejl.268.1645000837869; Wed, 16 Feb 2022 00:40:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645000837; cv=none; d=google.com; s=arc-20160816; b=Cif1yG9Xr85eFcQ1RsWllaKr0MK89KDPRuUKqyueS7Y4a/GyTiK/wIlBfUmSuVF2HU 9hSbDgWz/+h1ka6xsnCOo9v4nnjWqP4WlshDrgDaeQNtMtKU5FugDaxpqhG0cGiIQ48H +ow5WpRV1rklTUpTLTxFwUQ9B0siWFLof8+3RQbLKGB/jQtk9efoLrZipjvQKELbFgbv 47zUHw3W7V0+tNINIhm+iAXCGP+mf0OX7eeawfMefECPCOhupgFY260W36+IQaEeTx0x 9hLtI7PObmXNDsZhMyX4uuaj3rg+XWio4U7DhBO8hYbNnAz2Y+r+l/N0siq4m9Ybg16j pTCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :delivered-to; bh=82HPISjd69RwBDI//LwMDnUoGcj/hwDj8z7cPjvgfkk=; b=0d9VoajOLOUtEAs5OnGeWcVg+BuSJjQTGlNkALmMEt2lxEw9VnWJ8ONttlSTdzwCoW 1CosAOC8/Ctfg15/CM+9AistZNJiz6n7I0MOIVybfZz7DQUxlZM52gwLVsqRT1PfKOSf Eatz/shBpdjG9OguC3czqA4giQXCaFxmQ39WlhEbdOqmorhnzFlG65wN4Kk2mIEYVkQv rG1Q37elMPtyBX2M9QS/7XBFTnkZYZ4i4tn46/GJSalI7qqBlloJqU4XkOhTUYajzCL0 qqNnY5IvTm/abC5t8hNp/AKIksaOR4+nfs0Oj9e5I7gWxKu4Xq01lYrgxdZ0ixvYzflD ONew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id js20si27129517ejc.37.2022.02.16.00.40.33; Wed, 16 Feb 2022 00:40:37 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6C4C168B2EA; Wed, 16 Feb 2022 10:40:29 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 20FF168B28E for ; Wed, 16 Feb 2022 10:40:21 +0200 (EET) Received: from localhost.localdomain (unknown [124.16.138.126]) by APP-01 (Coremail) with SMTP id qwCowADHZ8VyuAxiWCfmAA--.13565S2; Wed, 16 Feb 2022 16:40:19 +0800 (CST) From: Jiasheng Jiang To: ffmpeg-devel@ffmpeg.org Date: Wed, 16 Feb 2022 16:40:16 +0800 Message-Id: <20220216084016.1979611-1-jiasheng@iscas.ac.cn> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CM-TRANSID: qwCowADHZ8VyuAxiWCfmAA--.13565S2 X-Coremail-Antispam: 1UD129KBjvJXoWxWr43tFyftF15XryrurW8Xrb_yoW5XrW8pF WUCas3tr97tF1ftrn7Ja4Fq34rW3s5Ja4jg3y0vrnFkFnxW3s8Ca48Ka4Fga4vkr1Fq340 qF1YgF15CF1qyFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyC14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjcxK6I8E87Iv6xkF7I0E14v26r xl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj 6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr 0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxAIw28IcxkI7VAK I48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7 xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUXVWUAwCIc40Y0x0EwIxGrwCI42IY6xII jxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw2 0EY4v20xvaj40_WFyUJVCq3wCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF 7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x0JUywZ7UUUUU= X-Originating-IP: [124.16.138.126] X-CM-SenderInfo: pmld2xxhqjqxpvfd2hldfou0/ Subject: [FFmpeg-devel] [PATCH v2] avformat/nutdec: Add check for avformat_new_stream X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Jiasheng Jiang Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: o1SJqdTonRB+ As the potential failure of the memory allocation, the avformat_new_stream() could return NULL pointer. Therefore, it should be better to check it and return error if fails. Also, the caller, nut_read_header(), needs to deal with the return value of the decode_main_header() and return error if memory allocation fails. To avoid mishandling the invalid 'time_base_count', another check for the 'time_base_count' is needed and return different error if fails. Fixes: 619d8e2e58 ("updating nut demuxer to latest spec no muxing yet no index yet no seeking yet libnuts crcs dont match mine (didnt investigate yet) samplerate is stored wrong by libnut (demuxer has a workaround) code is not clean or beautifull yet, but i thought its better to commit early before someone unneccesarily wastes his time duplicating the work demuxer split from muxer") Signed-off-by: Jiasheng Jiang --- Changelog: v1 -> v2 * Change 1. Add the error handling for ENOMEM from decode_main_header() in nut_read_header(). * Change 2. Check for the 'time_base_count'. --- libavformat/nutdec.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0a8a700acf..4cbccb20d9 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -220,6 +220,10 @@ static int decode_main_header(NUTContext *nut) } GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2); + + if (nut->time_base_count > NUT_MAX_STREAMS) + return AVERROR_INVALIDDATA; + nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational)); if (!nut->time_base) return AVERROR(ENOMEM); @@ -351,8 +355,13 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR(ENOMEM); goto fail; } - for (i = 0; i < stream_count; i++) - avformat_new_stream(s, NULL); + for (i = 0; i < stream_count; i++) { + if (!avformat_new_stream(s, NULL)) { + av_free(nut->stream); + ret = AVERROR(ENOMEM); + goto fail; + } + } return 0; fail: @@ -800,19 +809,23 @@ static int nut_read_header(AVFormatContext *s) NUTContext *nut = s->priv_data; AVIOContext *bc = s->pb; int64_t pos; - int initialized_stream_count; + int initialized_stream_count, ret; nut->avf = s; /* main header */ pos = 0; + ret = 0; do { + if (ret == AVERROR(ENOMEM)) + return ret; + pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); return AVERROR_INVALIDDATA; } - } while (decode_main_header(nut) < 0); + } while ((ret = decode_main_header(nut)) < 0); /* stream headers */ pos = 0;