From patchwork Sat Jul 24 04:09:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 29040 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a5d:965a:0:0:0:0:0 with SMTP id d26csp1963563ios; Fri, 23 Jul 2021 21:09:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0E+kq51gHNNBCTNtbLdAwh9SvowV1cqoT07/vZt0Suio1/XZX2KC0AJVPEzODTYLxe9IG X-Received: by 2002:a05:6402:1d2d:: with SMTP id dh13mr9455660edb.90.1627099782629; Fri, 23 Jul 2021 21:09:42 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u6si36105504eju.58.2021.07.23.21.09.41; Fri, 23 Jul 2021 21:09:42 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=Ohm5FYn5; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6ADA168AAEB; Sat, 24 Jul 2021 07:09:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-oln040092068038.outbound.protection.outlook.com [40.92.68.38]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 784816805B8 for ; Sat, 24 Jul 2021 07:09:31 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gg2jwd6LXQNw7mGXy7on8FMNGeBEnuXlkEpP+iaR+qb6ZVznkdeIz/wL3tjoo6AHYn/Dm8Z8zxZonStD4FpItOuvJ7gYGn6cFFMMkj7GOxyle2f5DWp4U6k5ohJxR/qPgGlcrCRMXyBu4W6bVq42VCYgXGSxNN4j0GLIWrOYXof1sF87GBrWoBwxESdsFuU7Xq9FVSLeVXuuxKL3lub4PWWhxbERT0xVA0sMR224MpgyXpYDhmnG8QvGSpKjyswyOGcTS5qXrgmhAyPHwlheXyqB6TcqY1jvXUdmMXDtMh34zgXvLmn5Qj9YP7O559+sr063Rqd2GPFRKiYmT7vT6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ukBTbCgdIirSUIkC15f4Fu4mLNZqI+i9vTkzIbqCMU=; b=A7Js5XY2lYowtMBbOAE7OcpuhSpC8PEPwj76tcBldOCUV9FBp6HNBxEaVST3wdRFnCMjofp1dSPbt1PKUHAT5oZJyMd3mGyF5psUWyMZhaK19zSnOzfPWSAW2Aam495GIiEdFeU4jBLDCW67Tzjz+WapxaSc9HvypGjOGzGgJDUQhAzlNNcwQTfglKOAYl36fi13nL6swNnPdSJHV8/ObdEelWT1fXqQEdIyQXaXPRWv6jr7Q98gmnJAEpbLlRunfIB365Rdg9Sc8MXyyqO9kGwkHIx8Kxza63pgNQiCBNRzBDpgVNNce3mNguwuhxXG7n6xs+eYTe8UNPgB0sobBw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ukBTbCgdIirSUIkC15f4Fu4mLNZqI+i9vTkzIbqCMU=; b=Ohm5FYn5pv8IZDjLgEHx/hNG6n3taK8fuOO1KxO/ikgJ3qvSg6aWObicIJt1d/eAMV6oFnfojq1by94HYjQ3YINWJA8HxWIO41s8NFToYblyLiopq8seOUH9Id43zNqMUgLlRNsFDCTOEpEpRCGAJlu+5MWwRG8pZb2flIh1a0u+mDamtSJLIN2fXIcNWGYM9RkIOzqOOFmIG2Eq2SDVbkSeSHygOml+3NttfLbqMc+Pe2unbj1lqqqnjIwRi3ln7re9HpD0mVBsyTr0GGc0oW0R6VomnWdBbILwLjIITqHRL0M+6xf+9Et75OAq9k3XkIhFgC8C731HaUU7k9Hfwg== Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) by AM5PR0301MB2355.eurprd03.prod.outlook.com (2603:10a6:203:b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Sat, 24 Jul 2021 04:09:29 +0000 Received: from AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::c9b2:14f8:d555:6f2d]) by AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::c9b2:14f8:d555:6f2d%7]) with mapi id 15.20.4352.029; Sat, 24 Jul 2021 04:09:29 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 24 Jul 2021 06:09:22 +0200 Message-ID: X-Mailer: git-send-email 2.30.2 X-TMN: [nBEMjZ56rJGq/li5zVBy1EOe7qxQ3xRw] X-ClientProxiedBy: AM0PR10CA0051.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:150::31) To AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) X-Microsoft-Original-Message-ID: <20210724040922.1999810-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.192.94.230) by AM0PR10CA0051.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:150::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.25 via Frontend Transport; Sat, 24 Jul 2021 04:09:29 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4342051d-3286-4ec6-66dd-08d94e58d571 X-MS-Exchange-SLBlob-MailProps: S/btQ8cKWiSTXlfHHyYglxzh02pnn3Zu6tFBTmX0OcgahDAc4LPPlp4oCmU/sxyBjBCiTh2GQHZ2mUi2Gk0gyruMXNUXqADBnHZ6F13wWPWEeGgfLltM4+ySfaeuu4rumSY5XluqaUEg36woX3EAfqEjIb7rDZBYgUIyDKGpIksU28f+JI6TxfIKsCi1i0gzyn4elMdFFfk/SxX0a8v6htZbZv1Xc53tX0pn8D87mQOndGQc39wQMN8eTuOvt87O7JRiFtYFGF8zTDu5Ha7+zByyqskaex9OkNFO/eFILlwQqSD2p3Aj95f7B4c+wPYH3B6Wq0+RoZJIv42s1T0sma9H1aaR82dBUj8aPP4WE/hXb1ble9Ki8NaujZIoIEZOvFzF7kgrjQa5XnCgFxeAesbDYutdEarc3AomBujosa2hHiZgrELjdtR29ri/O6G2Y9YreJUrGJRLebnj1XM+50cbjsYsSJDDBLvsvvNXPHYuJp3xyhUo/Vx4uceLFvKl61l2MmScu1NmX6TydwG0qSrnFSpMewEEE7iVprn7tGGfuNDjOjdfcii0qhrMARK5CcudWZ+cjuGu6dcB7OTa0l/gfKgRZPcYflj1/dCkaxni4UWZMSU4hjiUJaVqOTtsroaWNqX2K2DKdOrHWldn5GrAEgF/x+51W2S+ZkYkDKPv3F9EaBqs3QekJLUjorpZrOP2jO6dRFslGcP9eHvfYAAkRgm4PH9tpMdkdD0/OtmkSbJRUSoUCP8D2ba63eBofR87fFmJfSs= X-MS-TrafficTypeDiagnostic: AM5PR0301MB2355: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: oep4ls0XnEIVmtrmSXfJovey9E4CzVkcQgKAVypKbGZh/kp8ZozaUlm/vGhUUdQn097OIWlO/yaPJtlAEqOsAFKFvgxzQbK5B/0ZaRM3Hi4DDt74Q65++qwysVHnYQGw69z4rQJ8KVZq6y1GcIXEsWl1a5/Tpifxy+BRaoep6/L6YN8JMWqq6HXTwPsUBwWnWfvfAbI14spE0k28L44FMPmyqoYaQeYsxRUaaCvjdU9z431J5I5V37ecCQdw1h5knexCmklqHxQ2ndPMXQFg7aS1EAP4phaiGsF4rABuUVmfcNprlL+SVWpOfroGgG0BjRH5mLGh2dyExQSBBpn6o7f3KdWQFj9IEjvXnsyM54/lKzh6Uhkhc+e7jgLVB4ZKaGIWuJBO1Re61UN/pO7BcoBXkiKaxnz66pfe77F0M1x3FEf5ny0M+IC7qhRxfemN X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 0f04X4yoSPgn3/i058eLX1/eo65vOv9r889MZU6L/Js6r3l/N/zoas9Yg6AyqIdJmTb86ru/4SLqt/ztC7xeX0dedKBDJ/diW6LujtH6EU0WK43b1fdP8PffaHSSPwSP6zm/ypNzUvRdta9yIQcqyQ== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4342051d-3286-4ec6-66dd-08d94e58d571 X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2021 04:09:29.7043 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0301MB2355 Subject: [FFmpeg-devel] [PATCH] avformat/mov: Fix crash with too big STSZ atoms X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: tIHwUFvNAfAG mov_read_stsz() did not ensure that every bit of a buffer is addressable by an int as is required by the get_bits API, leading to a crash in ticket #9344. Fix this by restricting the size more thoroughly. The file from said ticket will then be considered invalid; in the future, we might read and process the data in chunks to actually support such files. Fixes ticket #9344. Signed-off-by: Andreas Rheinhardt --- The commit message is written as if it were certain that this indeed fixes the ticket, despite me not knowing it yet (as the sample in question is not public). The above is intended as a quick fix that is easy to backport; supporting such files can be done later. libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3fc5a1e8ab..e0d805b07b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= (UINT_MAX - 4) / field_size) + if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size) return AVERROR_INVALIDDATA; if (sc->sample_sizes) av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");