From patchwork Mon May 20 01:41:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 49048 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:3a48:b0:1af:fc2d:ff5a with SMTP id zu8csp4157280pzb; Sun, 19 May 2024 18:42:45 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWvYih1iQQeHbhne147YgAhFP2Lfv8+dyRtwyQwvItSU9neGxl17j6DTcg/6Xo5RnuRnpjBrkLsIirLGB3wygZT6qPja7XJg03knQ== X-Google-Smtp-Source: AGHT+IEfFjJVeeBG+gF7HU36LzZsGrQwkOOTWMj5COz+4lnIk/68i6JhseAadw3IYl4qrtt3naXb X-Received: by 2002:a17:906:3b13:b0:a61:42ce:bbe4 with SMTP id a640c23a62f3a-a6142cebc48mr160264166b.27.1716169365206; Sun, 19 May 2024 18:42:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1716169365; cv=none; d=google.com; s=arc-20160816; b=UStk+RDmgOA4PQ7IwKfDkKp79EtCQM79D9gRmqaC0KrYe0g6qBRfEUDzOkI4OmR0dj afBtoAoxqR/EisYnsogv0jKzY1j9zxhEoolnqRjUB3/+K9u1vwEsDda6HYP86cKTHbM3 9vTJ1eodBIflzL3dhdH+/71AJsrcTj6DyZ/JHYVdT0su7RNXZeRng/LO6hYZKLHpSkCc wUHbD1eP6Fuqll2vIl098KfLaJCOYL+cASXVTBd23nL0pRx5fhuU4WrUMo1E53zqE7pm Q1Wgs4hpyDa5C3payzRUynaq26/CitTsA4SL3VkAQI9iLY0Xjl+mopxKmYXqpdwOnmR9 huWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=v+GWuor03srI3ai6msYt0Yk3tJW4g8daI3u0qVoMmMM=; fh=YOA8vD9MJZuwZ71F/05pj6KdCjf6jQRmzLS+CATXUQk=; b=ZSojxvuQ61zjaCWU05m4E2kO/qL+pUbfEEYtRk/8hhViQPLN3aX19Rn7Fe2XjjU+jh 68jpq7QPSgJPpYx6I3EZfdDKMtccRIF++t6VSjOk+Ni1SBKnyyCCXcGopQahXk7UBIC3 9Rmc45IzsSxS/JLwEJ3GLIbJblqwc8Zzw60JRQsHGuvtjUoqpLn7ibL3xwk32BPIw89s AGNEy5/IM6LHa8MQqXYqowFPxbYUkz4t2/NdPCAP/w5YdS1Z+DIPhdR0qg6YdfEz/d9k VLm2hkgOJIuh+H0fJbXi6qJNXCA1eDjSiaXab4ZsvJgpZe34xGG+IOabh9gs19aPwqqe Nulg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=brRoYvOq; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a5a17be6972si1229087566b.737.2024.05.19.18.42.44; Sun, 19 May 2024 18:42:45 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=brRoYvOq; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 98A4068D056; Mon, 20 May 2024 04:42:40 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0154468CD5C for ; Mon, 20 May 2024 04:42:33 +0300 (EEST) Received: by mail-oi1-f177.google.com with SMTP id 5614622812f47-3c74b27179dso2141198b6e.1 for ; Sun, 19 May 2024 18:42:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716169351; x=1716774151; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=syokRZgMMOZYHynKG+Xb4X54LGbHX0JiOcC76/II7Vo=; b=brRoYvOq5iFzDRSNJFcHPPWSeJqXEDTzZQLezaSuHRjD41Nh598Hxj3pGbdbECWbzs tbBqjmRhdNnzUy+gAdMavNJf0lD5a8cKkNPQdoPCMsHw+9A1dR2F3GBjG7t7lkJpmzKW d+oFViVf2di2w6UMr1c3i/DjHcgWS7Fj1NeWLCcwMIyLMxjCLLJCdGwudNtCGEfVEm3d /1D2EFqpdG8egd8c312vwjjEY6zAm0zaMRB+TE5HNRBX4TN9lbPXK1n23Tn741mkmpAV iy2ZoWx4hPKFdLuhGMaqjbFzPTO6otXzCXJrtcWP/ZNPLGIpK6+5Diirixw4IP3cmjB9 FScA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716169351; x=1716774151; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=syokRZgMMOZYHynKG+Xb4X54LGbHX0JiOcC76/II7Vo=; b=bpSAQptXcOfvVuiiHInpR6tD7K0ZbUzzYfnhqPmeMRZJ0zknJx8CsiVs/NAiVgbV8G kjXJ3MG12/yeirzwoTb29JaEg5ojQxL3Ek7mmeKks87wM85CdaSBYOVMygENrCMvRfgk czWRn/dhpdi8xcdO9Lbq0vrLksdJyNawL3r466Bl4JpAu3RJ3eBnsq2eJ1paD5YbHshM HP/hJVwpEXKsiMY+tnrWYJUpl+0RIGYiOJ+fNF+HSMrx1X1BD+HQhJwbVKp8wUyvOcZa Z5OFSRgbv0lw5lwCQc5EMzWWrC1NJKenRqLmhPYrRYAhtCVvdk1rZ/BypqQXnvcbOWwN pJSw== X-Gm-Message-State: AOJu0Yy90FgXiUwZEhaQVgD3B5JP6wzCY3yHh4LmG2ot4zoH7Z/n20Mk FUAcZyi681lOwjb1wKb4Je7oFFAqWd6zcD0C8TWG8kuH5Jvhm9QcUWt6QQ== X-Received: by 2002:aca:190e:0:b0:3c9:257d:ee50 with SMTP id 5614622812f47-3c997069332mr29239898b6e.28.1716169351151; Sun, 19 May 2024 18:42:31 -0700 (PDT) Received: from localhost.localdomain ([190.194.167.233]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-6f4d2af2b30sm18719435b3a.146.2024.05.19.18.42.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 May 2024 18:42:30 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Sun, 19 May 2024 22:41:57 -0300 Message-ID: <20240520014157.5399-1-jamrial@gmail.com> X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/mov: store sample_sizes as unsigned ints X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: VhYUUHzDABKK As defined in Section 8.7.3.2.1 of ISO 14496-12. Any unsupported value will be rejected in mov_build_index() without outright aborting demuxing. Fixes ticket #11005. Signed-off-by: James Almer --- libavformat/isom.h | 2 +- libavformat/mov.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 07f09d6eff..c0a5788e08 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -193,7 +193,7 @@ typedef struct MOVStreamContext { unsigned int sample_size; ///< may contain value calculated from stsd or value from stsz atom unsigned int stsz_sample_size; ///< always contains sample size from stsz atom unsigned int sample_count; - int *sample_sizes; + unsigned int *sample_sizes; int keyframe_absent; unsigned int keyframe_count; int *keyframes; diff --git a/libavformat/mov.c b/libavformat/mov.c index b3fa748f27..54c2d1eebc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3308,9 +3308,9 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); - if (sc->sample_sizes[i] < 0) { + if (sc->sample_sizes[i] > INT64_MAX - sc->data_size) { av_free(buf); - av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); + av_log(c->fc, AV_LOG_ERROR, "Sample size overflow in STSZ\n"); return AVERROR_INVALIDDATA; } sc->data_size += sc->sample_sizes[i];