diff mbox series

[FFmpeg-devel] mov demuxer: Check if a key is longer than the atom containing it

Message ID 20240402022928.585868-2-ezemtsov@google.com
State Accepted
Commit 8a23a145d85964950123952d897b89c2c2b1b8c5
Headers show
Series [FFmpeg-devel] mov demuxer: Check if a key is longer than the atom containing it | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/configure_x86 warning Failed to apply patch

Commit Message

Eugene Zemtsov April 2, 2024, 2:28 a.m. UTC 
From: Eugene Zemtsov <eugene@chromium.org>

Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.

Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
---
 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

James Almer April 2, 2024, 3:18 a.m. UTC | #1 
On 4/1/2024 11:28 PM, Eugene Zemtsov via ffmpeg-devel wrote:
> From: Eugene Zemtsov <eugene@chromium.org>
> 
> Stop reading keys and return AVERROR_INVALIDDATA if key_size
> is larger than the amount of space left in the atom.
> 
> Bug: https://crbug.com/41496983
> Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
> ---
>   libavformat/mov.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 662301bf67..2d92e7963b 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5048,12 +5048,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>       for (i = 1; i <= count; ++i) {
>           uint32_t key_size = avio_rb32(pb);
>           uint32_t type = avio_rl32(pb);
> -        if (key_size < 8) {
> +        if (key_size < 8 || key_size > atom.size) {
>               av_log(c->fc, AV_LOG_ERROR,
>                      "The key# %"PRIu32" in meta has invalid size:"
>                      "%"PRIu32"\n", i, key_size);
>               return AVERROR_INVALIDDATA;
>           }
> +        atom.size -= key_size;
>           key_size -= 8;
>           if (type != MKTAG('m','d','t','a')) {
>               avio_skip(pb, key_size);

Applied. Thanks.
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 662301bf67..2d92e7963b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5048,12 +5048,13 @@  static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     for (i = 1; i <= count; ++i) {
         uint32_t key_size = avio_rb32(pb);
         uint32_t type = avio_rl32(pb);
-        if (key_size < 8) {
+        if (key_size < 8 || key_size > atom.size) {
             av_log(c->fc, AV_LOG_ERROR,
                    "The key# %"PRIu32" in meta has invalid size:"
                    "%"PRIu32"\n", i, key_size);
             return AVERROR_INVALIDDATA;
         }
+        atom.size -= key_size;
         key_size -= 8;
         if (type != MKTAG('m','d','t','a')) {
             avio_skip(pb, key_size);