Message ID | 20240402022928.585868-2-ezemtsov@google.com |
---|---|
State | Accepted |
Commit | 8a23a145d85964950123952d897b89c2c2b1b8c5 |
Headers | show |
Series | [FFmpeg-devel] mov demuxer: Check if a key is longer than the atom containing it | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/configure_x86 | warning | Failed to apply patch |
On 4/1/2024 11:28 PM, Eugene Zemtsov via ffmpeg-devel wrote: > From: Eugene Zemtsov <eugene@chromium.org> > > Stop reading keys and return AVERROR_INVALIDDATA if key_size > is larger than the amount of space left in the atom. > > Bug: https://crbug.com/41496983 > Signed-off-by: Eugene Zemtsov <eugene@chromium.org> > --- > libavformat/mov.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 662301bf67..2d92e7963b 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -5048,12 +5048,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) > for (i = 1; i <= count; ++i) { > uint32_t key_size = avio_rb32(pb); > uint32_t type = avio_rl32(pb); > - if (key_size < 8) { > + if (key_size < 8 || key_size > atom.size) { > av_log(c->fc, AV_LOG_ERROR, > "The key# %"PRIu32" in meta has invalid size:" > "%"PRIu32"\n", i, key_size); > return AVERROR_INVALIDDATA; > } > + atom.size -= key_size; > key_size -= 8; > if (type != MKTAG('m','d','t','a')) { > avio_skip(pb, key_size); Applied. Thanks.
diff --git a/libavformat/mov.c b/libavformat/mov.c index 662301bf67..2d92e7963b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5048,12 +5048,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size);