[FFmpeg-devel,5/5] avformat/rdt: Check pkt_len

Message ID	20240607003215.1723906-5-michael@niedermayer.cc
State	New
Headers	show Delivered-To: ffmpegpatchwork2@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Fri, 7 Jun 2024 02:32:15 +0200 Message-ID: <20240607003215.1723906-5-michael@niedermayer.cc> In-Reply-To: <20240607003215.1723906-1-michael@niedermayer.cc> References: <20240607003215.1723906-1-michael@niedermayer.cc> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 5/5] avformat/rdt: Check pkt_len Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/5] avformat/mov: Check requested_sample before using it \| expand [FFmpeg-devel,1/5] avformat/mov: Check requested_sample before using it [FFmpeg-devel,2/5] avformat/mpeg: Check len in mpegps_probe() [FFmpeg-devel,3/5] avformat/mxfdec: Check container_ul->desc before use [FFmpeg-devel,4/5] avformat/mxfenc: Remove dead code [FFmpeg-devel,5/5] avformat/rdt: Check pkt_len

Message ID

20240607003215.1723906-5-michael@niedermayer.cc

State

New

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  7 Jun 2024 02:32:15 +0200
Message-ID: <20240607003215.1723906-5-michael@niedermayer.cc>
In-Reply-To: <20240607003215.1723906-1-michael@niedermayer.cc>
References: <20240607003215.1723906-1-michael@niedermayer.cc>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 5/5] avformat/rdt: Check pkt_len
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel,1/5] avformat/mov: Check requested_sample before using it | expand

Context	Check	Description
andriy/make_x86	success	Make finished
andriy/make_fate_x86	success	Make fate finished

Context

Check

Description

andriy/make_x86

success

Make finished

andriy/make_fate_x86

success

Make fate finished

Commit Message

Michael Niedermayer June 7, 2024, 12:32 a.m. UTC

Fixes: CID1473553 Untrusted loop bound

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rdt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rdt.c b/libavformat/rdt.c
index 60449d256a5..2fa53d34a8d 100644
--- a/libavformat/rdt.c
+++ b/libavformat/rdt.c
@@ -206,6 +206,8 @@  ff_rdt_parse_header(const uint8_t *buf, int len,
             return -1; /* not followed by a data packet */
 
         pkt_len = AV_RB16(buf+3);
+        if (pkt_len > len)
+            return AVERROR_INVALIDDATA;
         buf += pkt_len;
         len -= pkt_len;
         consumed += pkt_len;

[FFmpeg-devel,5/5] avformat/rdt: Check pkt_len

Checks

Commit Message

Patch