From patchwork Wed Dec 8 20:23:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 32189 Delivered-To: andriy.gelman@gmail.com Received: by 2002:a0c:cdc3:0:0:0:0:0 with SMTP id a3csp980909qvn; Wed, 8 Dec 2021 12:24:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwPMdPfCPACNv4otV3H6ywcyX7Z/aKXwl4qLv0aEFkOHvR2oeJnbpkI/d6fF6txgod3ncth X-Received: by 2002:a17:906:58c8:: with SMTP id e8mr10213212ejs.444.1638995080113; Wed, 08 Dec 2021 12:24:40 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id x72si5577186ede.97.2021.12.08.12.24.39; Wed, 08 Dec 2021 12:24:40 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=EMFQE8nq; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7C78268AB87; Wed, 8 Dec 2021 22:24:27 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-oln040092069030.outbound.protection.outlook.com [40.92.69.30]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EAD7668057C for ; Wed, 8 Dec 2021 22:24:19 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zpxl0Xa2ApoFOEhqQbZ6seRueACZdkrz65od6Rl8wAqYF5H2fe7xMd0AfTCJi5AA1R6fZ6g5L5DrBoxlbnR7x/5wL5qCZQLcHzGj/LU3GiacQDCW4v0Ky+dpleDKq3S+2TM6S5guRjOHpNZEPapOwrIHRDwLVlc7t69M5wvJ1KOgXfAAN7CQPa9zyaM06RkyBGNIWyA6ee5Yhb78AybN0yZQSbrYqYx/2ebGgz3CenztGVMbm+E+mWwe4MbmJdq2PZ4MREHph/s9sXyeve+7oKu47T9y+WtV995G4elv9r5RTyN4EukpKOVSw6mLhlWRIieackcSYAc7uXxcrKoXNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1gy6EwHuy+JNJuAMZce+PBLthICy/oS7hEhyq01zocA=; b=V0fbhDjzk4WrUDFY2ffmfkTq917EP5N0VokKYVbwznEcf9t/MAJOSmri6zsEqeP0fRQOTXIpD3270z5LLWoFH67/6NLh9LhVLhYb2RHFrYtDfrwfFLdkdafAIFeJ5xaWpceen62Y9gfzeFvNBFGnpvEyjXNS9GwhrwUU0nXoyVQ2ypGo74cWf5GmHhaCFNz1aHHhhj2wyDklt0zLPsI8Kwl5ioDO2HVfG9lbB16mEmzDB9nis6bzkoawFGudQ6fX82UN6UKDX/a0i5/awvbPwAB//c1hIjhGlgYG8Qogc4msR/sgtmw+uU103tzfO3XY5ynq+M+Lpt7bD4zS+YzL4Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1gy6EwHuy+JNJuAMZce+PBLthICy/oS7hEhyq01zocA=; b=EMFQE8nqTGIyNJpqnrZoqLZGHFrDIaswsD71T+PwQ6L0eqha7r0DSRiEg4cFOqIIXem0uiaPMSOckY+tEfte4dQYxn508uW1FkaXFbeH7Z7ODbO3JDy18NOYOAdZK+QFQRk6XbBjHOcvgK7HjTwNEDjQymjfHh9ilWWNKKBmhVNrwnpYif5hdJyKgWrNRSQDcuocOfJBNQn8Q7PZlBrDAVt4VTScYDrfM83biiZGL/CMbECQLh5UmgIXeH5/K5mNxhxIEKr1dZ78QNT+ZmRslg9oEx8Sism+uz7iAlJWOPeXrWqQvNnCDSmApEQA5twf6TEHNv6qXTIP8SWSHj+0ew== Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) by AM6PR03MB3832.eurprd03.prod.outlook.com (2603:10a6:20b:18::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.21; Wed, 8 Dec 2021 20:24:18 +0000 Received: from AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::f0dc:92f5:6bc2:45ca]) by AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::f0dc:92f5:6bc2:45ca%4]) with mapi id 15.20.4755.024; Wed, 8 Dec 2021 20:24:18 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Wed, 8 Dec 2021 21:23:57 +0100 Message-ID: X-Mailer: git-send-email 2.32.0 In-Reply-To: References: X-TMN: [TFROh8/Wy3jwZDwZgEbicSfMUY2WS5T9] X-ClientProxiedBy: AM0PR06CA0089.eurprd06.prod.outlook.com (2603:10a6:208:fa::30) To AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) X-Microsoft-Original-Message-ID: <20211208202359.593906-3-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.192.248.74) by AM0PR06CA0089.eurprd06.prod.outlook.com (2603:10a6:208:fa::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.20 via Frontend Transport; Wed, 8 Dec 2021 20:24:18 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ed6e0cc5-6176-42ec-bfa0-08d9ba88b5fd X-MS-Exchange-SLBlob-MailProps: S/btQ8cKWiQfCRqGW160PNMDf7lY4pH4lNrE50UcwXRKYvHG59y1IGz4oTa3Q4PSeRLAaD0Y+J28xoSIp497r6sLcV0andOWo3w8gO5tYYYbguwBKNV17FYsmXPyKsySj2j4Ak52JMO92jMCJ+St3BmEMtxjnKaLc5JxpXTUFeKLjbOzU8VXxU/MsnXyu69LMnTyj0i7CRt0YntiYKm26UfHusHLUu0/rg9WvOluiJ2QX0PzBp4mmV4Zu9DS5YgW+C/MrylZIp1de80I6i4kqXY6LtGYpE9lfNowIZ5nAQPfOCrUCP3IahiYgpFksEudhSu/4SmK+ch+CmSVuG1k+20cORYJ6vU1XsZ6oOAdru/cAPVK0DqexVPqgA7sjGAvyO6MMsYQRCgRAp+WZkvRxeU52cb0ZW/tlRgpOAAsILQ7Ec1NY9t8kulsVxPYsUeJ5yFoHsGeWS0WVDApFd2/XyEsqPQeygIkpr5+7rVKTPpwcRFq4qJLAbyRyDdiJPZrW/blBjRc9q5gWP6l9ua2E9IQ5LLcJt/fw9VQK1LOfoPP/Ohqt7qelWu3REJ8Kkna3xLWAgTaBas48lGf1Y17e1whj53IpryuBX7AGbf/MGDDLlWlXeqUHIrLWOLTsCcCJw35Q7lIpGDaRk4sOpjzqz6Px6y03tfWVaK9XCUGgVxOJwb2PWbTskL3kvuSw+sJ8WonHoPFVoDLCGs0twAm1BJzeq+R8rPDwefPNMJ0IpV1NYelnD4axP5JWRNzzi4KtkhI8t1gRa8= X-MS-TrafficTypeDiagnostic: AM6PR03MB3832:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /AY5PpDOQzg84J1jhR72xjgaPlM01XQU0yJpu2jdgwG3VEhKJb3EIZlo2vo46/ZA/aBvDIl0zvn8AMSjiH07FYhSUzFw9n9E1O9WYwdHrMtcw2SIHkfQzdymLTd+P1nUdY7OZ/8xdjW0kyQwxnszoMLZVC/k8CKLafsLjrUAaS0Kt3el4W6RIEI2pUfIi43S3LCUOcNX6ZPlb0/4VVA64JUZnOBjUojqnUVIgZ9ekUhEL80xaq/CjmTyo/7WpyaXxsfP+0sl+LtpLQeghyTve62oLQjCOZGuER83MsZgqU6DqqPk9GybSKtmo3t9R/DQh7t8YblKfnm3qNMp64nkcYq44K93qAO7ypqTdekaYjadZ76z1qSur/uF8rsLTGLr/IZtnMsVtgI9DDj14HQUJU3f0g2EOH+JpxbQOfyM/OutfeZzLO5DEhHEHh3Bl58n4mPRXXiHbzYQ2QZOQUZM8ymilxRDY4wwQcOfWA0HANB3COKq1zZBcSodf6zPgZtRm1p27lKptYHnYCD9X6O85o9T/h3PSvObk1QOYAGspOhosri+jnoP+20/564njY4fc6LEYe9XmrBfOEUQ3Kyz2A== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: B82YKfhC0ZTCHtwPVisC7owi8WvZWA4a9LbIRpeGKFqkfLbe/9K31lQJ3qWg7Zi9amvvxsyQu8QGu3cX31Zzp7z5DLKw34XRlS63IZ9wjxh3H6F2KeK1fBwNrbux3cjgoQ/+zWlnwTnlgrBuUxffUQ/2p+5VfqSELwWM+qKcpa/Z6lOydwBL02STi37DFf8PPAK7XiXyDBSX2+WvC8M4bHTf9u6Z8BKhLBic8oh5Tgu2BNZbhS7guIQ5ieSiFk4yy0Ok+aDtjDRVNJibemFHDumDWEyNZx3QlAOHVTaQHxyqaS6/tf07Y812NWx7TU0SUheqYprW3o9YtgeFE465f2O44BYJqpVmsMRxG0RFACaF0xkk4LXk9gVU17eXNj/c33SlOWAid8eC76yDoAKKYhNOH4IbsacT0Mx6YXMRe419Skd4K4JRa3V2hVrN+vhkcvf/Hv8jjHkJEd0WvsnO9zf6ISA3I5sSrB4eixCnF7YTSfELKc8hBeB/Ob3rAC9nv7ZHExkSpeUb+yBGO7v5AEO1+s2t6GfRtaKQxxcXjsiFFQVpopw5LWaUxHFhO7NZKiSmDlaYKARC2ASOC+tRFDf0px8IP4oOTGW8jJyBUKFoezl7WcbXhl/WI0tE567fcCYNa1rmPNFqvXnW+f3kKxHmLEjSLuam7WP0aX0hjI9GfO8/0GptOEuP6ARfDLq8hUbDXioLWxBvq3/yDgDQ8tqfXI8AbSW977D3pQhFw5qb6kBQCp/7hRB0hAFfNxyPCWH/356Vl07wvQ6eH0Oa0iLoQ2i1IAF/cAqYF9poGQgi7Hrv5RFmfJlSbRpcFuiQHljUjCWoWai2i3Wp0YrJ4w1zdBQfnFPbDT9iCObi3b+F/LIXBMIIRJ/qYXuIVzTqDONnNqyYBNNNgldzELZsTuZOBmdH0Oklid1rgk1oedhRkjSuOfmMCI9x68b2XJdqjZh51n8nYm6dFtB16XWn2A== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ed6e0cc5-6176-42ec-bfa0-08d9ba88b5fd X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2021 20:24:18.3134 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR03MB3832 Subject: [FFmpeg-devel] [PATCH 4/6] avcodec/movtextdec: Redo TextSampleModifierBox size checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 8EY8TD2aLpFP Content-Length: 5065 The current checks just check whether the boxes fit into the remaining size of the packet instead of whether they actually fit into the box size. This has been changed; part of this change is to pass the size of the box (minus the box header) as parameter instead of a pointer to the AVPacket by which the box parsing function is supposed to recalculate whether enough data is available. Signed-off-by: Andreas Rheinhardt --- libavcodec/movtextdec.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 001df6a5a1..967c0adf7f 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -103,7 +103,6 @@ typedef struct { uint8_t box_flags; uint16_t style_entries, ftab_entries; uint64_t tracksize; - int size_var; int readorder; int frame_width; int frame_height; @@ -112,7 +111,7 @@ typedef struct { typedef struct { uint32_t type; unsigned base_size; - int (*decode)(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt); + int (*decode)(const uint8_t *tsmb, MovTextContext *m, uint64_t size); } Box; static void mov_text_cleanup(MovTextContext *m) @@ -241,14 +240,14 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) return 0; } -static int decode_twrp(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) +static int decode_twrp(const uint8_t *tsmb, MovTextContext *m, uint64_t size) { m->box_flags |= TWRP_BOX; m->w.wrap_flag = bytestream_get_byte(&tsmb); return 0; } -static int decode_hlit(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) +static int decode_hlit(const uint8_t *tsmb, MovTextContext *m, uint64_t size) { m->box_flags |= HLIT_BOX; m->h.hlit_start = bytestream_get_be16(&tsmb); @@ -256,7 +255,7 @@ static int decode_hlit(const uint8_t *tsmb, MovTextContext *m, const AVPacket *a return 0; } -static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) +static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, uint64_t size) { m->box_flags |= HCLR_BOX; bytestream_get_buffer(&tsmb, m->c.hlit_color, 4); @@ -271,14 +270,14 @@ static int styles_equivalent(const StyleBox *a, const StyleBox *b) #undef CMP } -static int decode_styl(const uint8_t *tsmb, MovTextContext *m, const AVPacket *avpkt) +static int decode_styl(const uint8_t *tsmb, MovTextContext *m, uint64_t size) { int i; int style_entries = bytestream_get_be16(&tsmb); StyleBox *tmp; // A single style record is of length 12 bytes. - if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) + if (2 + style_entries * 12 > size) return -1; tmp = av_realloc_array(m->s, style_entries, sizeof(*m->s)); @@ -519,6 +518,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx, av_bprint_init(&buf, 0, AV_BPRINT_SIZE_UNLIMITED); if (text_length + 2 != avpkt->size) { while (m->tracksize + 8 <= avpkt->size) { + int size_var; // A box is a minimum of 8 bytes. tsmb = ptr + m->tracksize - 2; tsmb_size = AV_RB32(tsmb); @@ -531,12 +531,12 @@ static int mov_text_decode_frame(AVCodecContext *avctx, break; tsmb_size = AV_RB64(tsmb); tsmb += 8; - m->size_var = 16; + size_var = 16; } else - m->size_var = 8; + size_var = 8; //size_var is equal to 8 or 16 depending on the size of box - if (tsmb_size < m->size_var) { + if (tsmb_size < size_var) { av_log(avctx, AV_LOG_ERROR, "tsmb_size invalid\n"); return AVERROR_INVALIDDATA; } @@ -544,16 +544,18 @@ static int mov_text_decode_frame(AVCodecContext *avctx, if (tsmb_size > avpkt->size - m->tracksize) break; + m->tracksize += tsmb_size; + tsmb_size -= size_var; + for (i = 0; i < box_count; i++) { if (tsmb_type == box_types[i].type) { - if (m->tracksize + m->size_var + box_types[i].base_size > avpkt->size) + if (tsmb_size < box_types[i].base_size) break; - ret_tsmb = box_types[i].decode(tsmb, m, avpkt); + ret_tsmb = box_types[i].decode(tsmb, m, tsmb_size); if (ret_tsmb == -1) break; } } - m->tracksize = m->tracksize + tsmb_size; } text_to_ass(&buf, ptr, end, avctx); mov_text_cleanup(m);