From patchwork Sat May 14 20:55:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aman Karmani X-Patchwork-Id: 35769 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:a885:b0:7f:4be2:bd17 with SMTP id ca5csp876601pzb; Sat, 14 May 2022 13:56:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4+U96yhr1+ez90pxGC8PkDcfJsgoUv4S/6O1hntYO2LLHtUQA8nQ2NutDmJb8qwrQNbXb X-Received: by 2002:a17:906:5d09:b0:6f4:4407:a422 with SMTP id g9-20020a1709065d0900b006f44407a422mr9333725ejt.576.1652561768671; Sat, 14 May 2022 13:56:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652561768; cv=none; d=google.com; s=arc-20160816; b=ultFhuFcjHR6m7+EpvJJsfdLqOwVek77dNC+4G1CUyvwYzLeXx3DB2bZvlzYlMQalb Xjb59SOwnuizXAJPgTyawvlqCiPvnVHUCkmjbGPMWl51XvbA47ydapTEcphWipBEhIr4 f2jwXv5VXq17nlQS/yfPsVgz6lqQGqHN7URsPzAn35i5mY8bL2kXJZ4jNjV5VGsi4sKy RhLInW5TtYrAXUrKESLb66kwlk/JMl7ZL4Ip5BRTM3TNWZrprPJMjPJ+V80l95xoUL+M dK+hKRV0giinu3gUrEp3hCRwINSuiLDWzjHK4+cAtmQTmnxGIEs3hoFraTarjDh+7UPP xM/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:to:mime-version:fcc:date:references :in-reply-to:message-id:from:dkim-signature:delivered-to; bh=/FBzym2XwFRNgiw+QbYgvKnhRGGJovBP1aBn8/B7lnY=; b=eESlLu+8L2wkGhARKICj/39Uia6u2W4ESWlvBgM7tCZhLVZUiQ4p2h9+xGdNkNbXNl Mo0CFwqRkkRXyEXa8G9dP7bhG/yhM8MbzeBSdvZ/eQLE912NCHgfe8WB3mWXJUMuQjt8 EGqgaSdoQCRwQBFAs2UdhxlqoHKmNtc+q9tPnqZ8lSbHhkVsCTY17bq1+VTxP6W9VDdu toRerymsRJNCTBWvw+asxaAj/zfiQu/8yOBOfoeHB1ptJzC4t+jsPKswQ3L+rryDD9UO +/Oq6aj1Pyg6/7+DLvhqfgZbvx7XKYQrkEA6yPiD5w8E1dWqimW3dTLWuuvIZoIq71CM XqbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=bt3qBnkK; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id w5-20020a056402268500b00425f86e7823si6749148edd.31.2022.05.14.13.56.08; Sat, 14 May 2022 13:56:08 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=bt3qBnkK; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 093F868B4A5; Sat, 14 May 2022 23:55:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 30BA068B460 for ; Sat, 14 May 2022 23:55:29 +0300 (EEST) Received: by mail-pf1-f169.google.com with SMTP id bo5so10670210pfb.4 for ; Sat, 14 May 2022 13:55:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=vFC9J6gUyCuHzxh2glSoTSiclVhHxySFo9/Q3ots71w=; b=bt3qBnkKNOZ7ZJnmVhIAMbjW5ytRsEk/rB9ts8sVP5pttugTFR0Z8RJU5Hu2wy4ARJ v9XspptLOvO34jwIt/vchW/BZn9K8Z/0EvkB2k2Py7SFTjo+VadC7GqXtrLw1XXjQpFa 0Xbukf6xp858S4zhy7CbRkI+GDXDLQ7+h65a3WwMcejD94ZzCRE5UQZwnvs8pet/MpjI fJkCCjhSeHhkyfYgySREHKlX+6v7YK6dNuI+PHrqX4Bg5ZMbj8cUb8r5WYjbWxJrL0Zp geeapsJtgiHtRTvS9KnWMoycILw5Ncm60hdN03FtZEjr5C3yCg86iIPIo8MtMZkhH5L/ KX6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=vFC9J6gUyCuHzxh2glSoTSiclVhHxySFo9/Q3ots71w=; b=VXTkQwcDPV8mBNbW2KI6ibljIYI1akiAmuBo49E3mMCnCA2YfVJOR35RLOh3F2zIXK uWdjxs4c0tMJBZZRpX6x6mAXUe7QESafe4qn6+zH1oak4gQQZzP8CXAcYx3u2gtSJ97A R7Us6TWz+qdjDfZxY/Wb0uldwJcjw893qp7cE1RUMR3hToJVJ9jM1cEa43wrjWWQ22Z1 ekmYLcdoB0XGaO4TFTX+G37G2IkWHUEQQbcmHaypat8blr3Xard7J9p0kUNtzSJpQkjn qdYcwiqcjW6HmuaKqhwmuQImFYywDyhzJohbUsiVPKsNKr+nC2hLpibN8g6CNFaKeIad 1R3g== X-Gm-Message-State: AOAM532D/eX6ORLb4EzyeIqUXxXBJHWCgSurenBJWH1DY0ZJ9HGD2IrU 5TMKqmjLCkq43um9dhO9YDfFhKHVY0iO0w== X-Received: by 2002:a63:d450:0:b0:3c6:e382:c13b with SMTP id i16-20020a63d450000000b003c6e382c13bmr9029577pgj.138.1652561727477; Sat, 14 May 2022 13:55:27 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id f7-20020a170902ab8700b0015e8d4eb29esm4052391plr.232.2022.05.14.13.55.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 May 2022 13:55:26 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: <97e0d765c98243e35d167bae0870b2c07fd613aa.1652561722.git.ffmpegagent@gmail.com> In-Reply-To: References: Date: Sat, 14 May 2022 20:55:15 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Michael Niedermayer , softworkz Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: dn3Q06er7ppD From: softworkz The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index c7c4ba55d6..eda7175c96 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s) static int asf_read_content_desc(AVFormatContext *s) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s) ASFContext *asf = s->priv_data; uint64_t dar_num[128] = {0}; uint64_t dar_den[128] = {0}; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM);