From patchwork Fri Aug 27 14:08:57 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
X-Patchwork-Id: 29809
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp1494383iov;
        Fri, 27 Aug 2021 07:09:48 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwabWpwrHoqFYW6+MRjCxXTyl0AZRmXqAGPKwPiXHx1KANLy1cfGfe1eqoNkhk/TKAxoe8a
X-Received: by 2002:a05:651c:113b:: with SMTP id
 e27mr3432615ljo.6.1630073388788;
        Fri, 27 Aug 2021 07:09:48 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 u34si1060339edc.251.2021.08.27.07.09.44;
        Fri, 27 Aug 2021 07:09:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@outlook.com
 header.s=selector1 header.b=Kt11vYy6;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4804B6898E6;
	Fri, 27 Aug 2021 17:09:39 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (unknown
 [40.92.90.42])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 46AC2680544
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Aug 2021 17:09:33 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=BWGv4B41Y6OMTXlXZEmAiwye8+zAHdvIAbvnVQpbRYNzis7NotemGQNnj+uuwU+bjsEB7+KgEE5Qhr2dQOfGqXh0AvqvKbjx+MJ6SNkQyv4laO0yXNTm2DsMcCwMJK6KX6c/o8OBoOobnei+w4jSNUJClx73eMzbrg2UhgI4Bbo/vWkHt9DX/9CkkuBbnqnzXqsglBwFagm1QyNZ6Y2Xa1wFEPPazuMlZI4+LwZGH+ri10rB0plTJ/XmUPTSPy82eQWZ29kVt61HqjpmebzQnQ1N0e/ergyOfoBRsjCv7vLdvOQAiWsNCsSsBP07GoB0s6o1D8fWFtxltzFZWRmcAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=NZCL+tV2noyMzJzX5KjB0nbjvdcUP++ymOReqmiXZ94=;
 b=UbSIHzHhE1qq07CnI64jp9cqBr/QisA8lvjNJb8CBadzxJYfycCQBOCISucCyNGBBkSqRRzlQdH8Lg/9HxtD8SFUcc7JZlM69SeWvaWCPAA8puT0ke5wfwHzh+Ea66M1kfNsd/B0zhsb5n0fAZ4ZgX8SFX4VzYJnDepIHPyif0cHC+Fccq8dWquCeqUblwUR0bmc8wp1y8yyRf6AHNmlA+zGha93SHo6XS8nBdEreuVjbxxP9iQIDzVAnhxfcaDU1urJJlvrTLwobocH9pKs/q+oX1bwsxiLmjRMDoITTltxkTDEvld7EvUoJSHi9ieDfnVFi81WAw/i+TKrH8pM/g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=NZCL+tV2noyMzJzX5KjB0nbjvdcUP++ymOReqmiXZ94=;
 b=Kt11vYy6z9qR6rOfos0W9oLD8q2DwvDs2tQ/s5Kjzt1na8y1TTJVTmIboVpSWKij0c+6FmW2yLX0X8wEz3WLszvoAh6vBUae1JLIgoNn3gN2r979+3LGvE7UCHgTho80pyipKZZ6PKjRM37Po37Pt4qTboCf0XAFp39WTDF673BOgKEqJN3uZGa9gmisnqXMgHkxMoPB11gFiEkTcheyoK8p0QqobEiNn/nmptV/5OzHvQiAFTuYeVcUpVO64t+97dQNzH17BJIrq4hcwEyMWi+RmzUWpQOxCNTK6LVJvtt7ov0ZeQ1Ak3WyJwugZksn2GxFyNZK0G0XxH8MqRJbuw==
Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22)
 by AM6PR03MB5701.eurprd03.prod.outlook.com (2603:10a6:20b:f6::18)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.23; Fri, 27 Aug
 2021 14:09:31 +0000
Received: from AM7PR03MB6660.eurprd03.prod.outlook.com
 ([fe80::5574:1fd:cce2:d590]) by AM7PR03MB6660.eurprd03.prod.outlook.com
 ([fe80::5574:1fd:cce2:d590%5]) with mapi id 15.20.4436.027; Fri, 27 Aug 2021
 14:09:31 +0000
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 27 Aug 2021 16:08:57 +0200
Message-ID: 
 <AM7PR03MB666057AEEEF35F7B74BFC2CB8FC89@AM7PR03MB6660.eurprd03.prod.outlook.com>
X-Mailer: git-send-email 2.30.2
X-TMN: [WLosU/HJB2y/LCpURh1qmdEmkr1Yzts6]
X-ClientProxiedBy: AM8P251CA0023.EURP251.PROD.OUTLOOK.COM
 (2603:10a6:20b:21b::28) To AM7PR03MB6660.eurprd03.prod.outlook.com
 (2603:10a6:20b:1c1::22)
X-Microsoft-Original-Message-ID: 
 <20210827140921.641126-1-andreas.rheinhardt@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from sblaptop.fritz.box (188.192.142.38) by
 AM8P251CA0023.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:21b::28) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4457.21 via Frontend Transport; Fri, 27 Aug 2021 14:09:30 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 93c400ea-5aff-4c13-df51-08d969644a0d
X-MS-Exchange-SLBlob-MailProps: 
 gjx25WM8ZNXOVIHST31EzKLNwg5cTLbyZb2pMriPNaEZQdgr9pesU6sAppCMvM7AOIIjY+WsAqREQd97XEEg2Dh3zd654Gadq8aatz6KXRr2kGfnyopR1iG0Zb7GR6ibG4+CFvBfHFOJdhHAOeDvP7ZEBhtEFZVPxFu+AWDG1M5yh7o7lAbhf6z4PF+RwmwbQFLkNsm5N0rPqjxY1A+uZduYdplCqHbDRO0fi19UKoVoC4UfatebXpbTsnv9Z22Z1R7pozvqBU/2vCZXyu358Zi4+MmN+88La/tcDvI0kX2BfnWJ1cbuWlaXNbgim6oc6/l3OAfvNQctbQUhy/2x80RZH0rLCrsBpdXcDy4r4V567iyFQNyPu+U78AooETA0fgQXk3J8bJXqj+SrBCRC8r8s8wPeScdswYBFMhU2gClzQ3kEeXTFO5WMCI3CVt5SyZtDbgZjv4N1BWh5VF052jfPNQtdOskH0893LViNw6zzoS8souIjO2CViGLhXJsmf9QGywMi+dnhzN1WBfQB8biK8SVKcPd+evnhYTnZb+cAgvW1tyWrMA0lGNlzeFESHYFGtsf8QcrUCntg1iDtvOWEjGRN/kJ5p3y6rmtgk/3F44X1CYnFj+D8hnC3omokxILM5c43IBt3Uq3anlckEpUEb4sZgR4HUR3ogl5tXMkqPR+pWqd2HVhIekFGaJ5gjOi/96/eBDmLKUJlqOvQ/E9cKd+aFUQDmm4bMUcjuuA=
X-MS-TrafficTypeDiagnostic: AM6PR03MB5701:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 OsHS1Eugurge1ado60YpsCbl2AW99r1i8ReqikCHbGtFDDLv/r+goy3/58hlVMJ0dnKRaz/dGQkrsKOMyYDyW+G816Qm6uZrguLr9BleZTqtL0DygcB0QV9w1PfC9f+TIw6f0mjPkAZpNtNUE+aublNLbiSQ338/zhrbGHk8pUJ79+SabmJFlHBSZGW77TIzCJG0sZRcuPJTq35kNvlW9n1Xw8FeHb77A23t+uqpYEEZzoFV52Ydlthy19zgAwSt83jN2tDdMjIdNy3oDGaupv2B8RtTx4DOn3REdTbLGtlbkuyk16ONnJT1ZxdIKHHlC6zXqsYMMh4iS13spZO7eeQ1s7voU+xg0dx+mEI5wFk8asYqg7L0JCRembrB8Q9DSABTbZ73B0GYtQ9phsodQK3fOLqNf4+x5RfDA4rThA6nMixWckNtS9C1IcrOuKhC
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 J85p06UwDPoP9VlidQVDidYStbNIzunO6hGiHpZmntn6wHf2jV8zV78QTnWxO5dOtukseOnDko4t8L694NzpGl5urRQ5L15X5m3Q+jXN1FqdmmYE3gNcCXE3XDIGi3Utu5mesUgKLnstBsAoqRj7zQ==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 93c400ea-5aff-4c13-df51-08d969644a0d
X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Aug 2021 14:09:31.5031 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR03MB5701
Subject: [FFmpeg-devel] [PATCH 01/25] avformat/matroskadec: Fix heap-buffer
 overflow upon gigantic timestamps
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: bLbEr1jdIxrB

The WebM DASH Manifest demuxer creates a comma-delimited list of
all the timestamps of index entries. It allocates 20 bytes per
timestamp; yet the largest 64bit numbers have 20 decimal digits
(for int64_t it can be '-'+ 19 digits), so that one needs 21B
per entry because of the comma (resp. the final NUL).

The code uses snprintf, but snprintf returns the strlen of the string
that would have been written had the supplied buffer been big enough.
And if this is 21, then the next entry is written at an offset of 21
from the current position. So if enough such entries exist, the buffer
won't suffice.

This commit fixes this by replacing the allocation of buffer for
the supposedly worst-case with dynamic allocations by using an AVBPrint.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavformat/matroskadec.c | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 7d79b3d5c4..c67a728737 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -35,6 +35,7 @@
 
 #include "libavutil/avstring.h"
 #include "libavutil/base64.h"
+#include "libavutil/bprint.h"
 #include "libavutil/dict.h"
 #include "libavutil/intfloat.h"
 #include "libavutil/intreadwrite.h"
@@ -4146,10 +4147,12 @@ static int webm_dash_manifest_cues(AVFormatContext *s, int64_t init_range)
     MatroskaDemuxContext *matroska = s->priv_data;
     EbmlList *seekhead_list = &matroska->seekhead;
     MatroskaSeekhead *seekhead = seekhead_list->elem;
+    AVStream *const st = s->streams[0];
+    AVBPrint bprint;
     char *buf;
     int64_t cues_start = -1, cues_end = -1, before_pos, bandwidth;
     int i;
-    int end = 0;
+    int ret;
 
     // determine cues start and end positions
     for (i = 0; i < seekhead_list->nb_elem; i++)
@@ -4180,6 +4183,9 @@ static int webm_dash_manifest_cues(AVFormatContext *s, int64_t init_range)
     // parse the cues
     matroska_parse_cues(matroska);
 
+    if (!st->internal->nb_index_entries)
+        return AVERROR_INVALIDDATA;
+
     // cues start
     av_dict_set_int(&s->streams[0]->metadata, CUES_START, cues_start, 0);
 
@@ -4199,22 +4205,19 @@ static int webm_dash_manifest_cues(AVFormatContext *s, int64_t init_range)
     // check if all clusters start with key frames
     av_dict_set_int(&s->streams[0]->metadata, CLUSTER_KEYFRAME, webm_clusters_start_with_keyframe(s), 0);
 
-    // store cue point timestamps as a comma separated list for checking subsegment alignment in
-    // the muxer. assumes that each timestamp cannot be more than 20 characters long.
-    buf = av_malloc_array(s->streams[0]->internal->nb_index_entries, 20);
-    if (!buf) return -1;
-    strcpy(buf, "");
-    for (i = 0; i < s->streams[0]->internal->nb_index_entries; i++) {
-        int ret = snprintf(buf + end, 20,
-                           "%" PRId64"%s", s->streams[0]->internal->index_entries[i].timestamp,
-                           i != s->streams[0]->internal->nb_index_entries - 1 ? "," : "");
-        if (ret <= 0 || (ret == 20 && i ==  s->streams[0]->internal->nb_index_entries - 1)) {
-            av_log(s, AV_LOG_ERROR, "timestamp too long.\n");
-            av_free(buf);
-            return AVERROR_INVALIDDATA;
-        }
-        end += ret;
+    // Store cue point timestamps as a comma separated list
+    // for checking subsegment alignment in the muxer.
+    av_bprint_init(&bprint, 0, AV_BPRINT_SIZE_UNLIMITED);
+    for (int i = 0; i < st->internal->nb_index_entries; i++)
+        av_bprintf(&bprint, "%" PRId64",", st->internal->index_entries[i].timestamp);
+    if (!av_bprint_is_complete(&bprint)) {
+        av_bprint_finalize(&bprint, NULL);
+        return AVERROR(ENOMEM);
     }
+    // Remove the trailing ','
+    bprint.str[--bprint.len] = '\0';
+    if ((ret = av_bprint_finalize(&bprint, &buf)) < 0)
+        return ret;
     av_dict_set(&s->streams[0]->metadata, CUE_TIMESTAMPS,
                 buf, AV_DICT_DONT_STRDUP_VAL);