From patchwork Thu Feb 8 15:17:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 46113 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:a586:b0:19e:8a94:b663 with SMTP id gd6csp331974pzc; Thu, 8 Feb 2024 07:15:44 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCU+4GmiRGGC/8BUxgd0ZLsu0i5cVPTnFgXZjQm+3qrJmW29tR1QOgTRsN48ZHe4qqlO0TdfB///5NyyAVPHjN8+Rp7Tq08BixCc7Q== X-Google-Smtp-Source: AGHT+IFTHlWVMjhQEuHjpWMinpXDB0w5mmv3kooRIINAZu70AJpqBlenF3odOVspPjdmakEwjnYI X-Received: by 2002:a05:6402:1b0f:b0:55d:30b2:983e with SMTP id by15-20020a0564021b0f00b0055d30b2983emr7464717edb.4.1707405344529; Thu, 08 Feb 2024 07:15:44 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUlCidBlOinuNeF3xTQ9lqjvYFCp48ybBHXQY4epRfeeorj4F5RBYVZY1IMBhswoRVL7X+j8OUKyE5SCi6T1lNiPB4pH2Wdm5Lr99gBp0vP07jSCqSvPcERppXkD7UpsehbRwr7WF9xeQn5f7AvUG8hZpwQigSR6Z4nZZthR3IY+Silbrg4LoO8qobos6r143KcglsQvHRH1OpOgsCyr/ppLW+zenFN41mw7Le7y0DF9lu6tvBLiqdxmtx2WR9EiUiKALoky3K/HyVOTIbTgTLHTXweUfvrci2YPOFD3L+m+q1EsPcqnAkRziavO/C6jgfhI7EQkoC5tRr1OMx/JyCP8P5we4sOjassGszHFWpfupQNyZvJ8ImPO04TzkBkrSnPs39gA6WKAbqyb8Molx2/HzOzSA96MxwcTJ3oXvitMWRVhcj3boS3YEh08Sk+o1QVbNCZms0j9pSgPi8HROslcPDD/fbjBmgSO80EhVKDPujOHN3Z3O2lXTQXi4jXej3Oaqvje+ojRWrPRsKzye4h2zvYxVf8kNTxLpQUO9BMCwNdLo0hhynfZAxvtUjb+Bew76+sYAg4C9HaQNW27p+fx3ehf9IfhXWWvGDUe4Hnhm+aKlh8EZTiGWlFsyLzgiG2mvnD2BCFNmJMjVg1YBq9Aug8yc7Yoxz8qOuIP38k+I/kWEQJaGZr2t6GjW6nchdfzwvmjyDNVHvwsmdlozg3eR5nDYOmphl7u4FwbOv60rkGawNyyBpypTdaK5ErS1KYAu2uY86S/r148mmyT6urLRdYAZwmBfqZABND2IakB+CLdYy0rdFRlWsBF/FyXWzlAuawTVdMUrrJCKdSly+vJfebXEYWF13FvIuTRdjA3oCvnL5oL4W98XdMvH1AXpQuvKvWPJoL8IomJ7fWt9yZkeU2gEZ9vB2karEG8E1zrWpsgVez487U+CJYcoQQGB3O4f DFnMq6sNlPQ8D01MFmi7AScN5qi/qseu3bToeS/8YvNVcej57ZIlkJi9n2Wd8fHgwi9Y+PblhhhlqXdWrhgztTiAIlHkS/ZfaVtNKTlnalRJpvaKDj39bkGoMNop4uSjiLVrJjWnc8HcbYpDcUZGfbz7bPwT6y8vOTvdB96C0Rjde8L3+B2qLh0I3+z4j9W7sDTRpU24SS1d1f9x00tZ5YdU0meA7S2oEwYQHH95QvBKpRwgshcYijF278Z8qBDPQs9tb3FFu3A51meJiY8JneCUDEkHcSGNECizQsmIMO2M6qxOZZ4CgBXdYsYZegj/n5x1gNtHRZo28gfRt601GHe1xgy2SJ/lWW5z7VnPDoyEya5Yb4ZVF2nBWKKpWyJZglsSxQbFbD74rB4UfvcMm6OTefiE6J/Bfqvu94zJlMW4ajz5OSMxUmJNmmaBUNTseuqhH5WlUcEq0FIQf+PxoU0jq3qR98ittzKuucu9QP8InKrEGVtCBAs35Hi6ERaDCGYSgmeobj6sLaV6U3ocuiyA3WAnjSGGReNnk4/zRErkr0UB9o0eI+ZAaGSfjc96rOra5jD6BrCEF3JeYDpwQyetq3be+uaA== Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z1-20020a05640240c100b005610aa487d9si761426edb.269.2024.02.08.07.15.44; Thu, 08 Feb 2024 07:15:44 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=l3vOM7i2; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2108C68D13E; Thu, 8 Feb 2024 17:15:41 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05olkn2023.outbound.protection.outlook.com [40.92.89.23]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BA02368CAAB for ; Thu, 8 Feb 2024 17:15:34 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AHxquvAZ/KTDPM/NCT3CuJCZiPqlJ9ybBiTUBGLgsX6DcgW/bL8iEJ1cLcs+bQKNVtfEf00OYPg/rjxz/GWaaXXDs4TCJ+LoClRfUN4kAWeapJ2q2jb3hVFvYyQwn7L8k+aOVPBDpvVNy4fKKmrDoOdDYPC5EfV8QCk9krlvd5uxMwbG/xWdcd1dBAm60snKU8C/FOQyudjpV4H5YmmSrO5eDJcYpBibU+FgA8ZKbA5ZX+BRQ6AZOAb1rdXzjWOtRs5yGVvtSVq1MLwQRFWVkr5021o5lnRilNhwTm/htUlZ0KC2dE/+MfFvSkbjH47Viln+fvJWRcx9dr5/b/kKFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nvJu3ElMwvPZASjKpqc2W6mA60CqAfxsmM/QVBHBotI=; b=i4JIRkafbmS6TKGbX2K+OAq+Z6k9V4yQ8hEDcvu/wAS31iOijfSBqz3xKRoEBUTakQkMJblJiczAg+qTuMqeGVLCD/KfuTPzU7wAbgyYvuvpWuvRqXwB/hN09ORM03+Bnyxun4UwkLYvYp2Q8SP3jwrwgUyECEwh0Jx1AAX3GYbp15+6Kw5//Wp4Dkqq+lj78nRM+pSCPP9MvdYTQlEx5YTPEbURqd6RPz8ixURYlDm/gwc18qdhSoUySJWxpARUQe8DG10DJ19pC0kfK+3DsALtJjZo26H5/QXB9z0mQ7MlezRJ6vvv8tHyDESaSQ4HtG405Sj6X3CUnUxh56UOCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nvJu3ElMwvPZASjKpqc2W6mA60CqAfxsmM/QVBHBotI=; b=l3vOM7i2W6zk6n9YS0eVoCmyGVn9T84KmJpWaSH+gAKi3Rpid6POUf/WkNpkUT/NSRntyCV/D0zSIFQPN8xvQthTNnok+B7rCCz426+6mA+uAMj3TZ12VihPACFfPsS8Pv2Yj7JyNKt1HOfshd8qGBVpTcrgAqVXSniun6y47Ose4AiJpuc+Bbk5Td2lBXtxNE1B4N+VtvrpsUsTkrMf3X3sILzJBAvp2DTUHn70E/3mOAu/FBfimWuXxTGMG9n82cxIM1C4nLjpdQRiQKwCAJKgBpiWzenbGEzamSsaJjB8hGCNh8DBwC/PHMdq5ud/CENY8ti862hj1zcOlaoNng== Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) by AS8P250MB0165.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:374::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.24; Thu, 8 Feb 2024 15:15:32 +0000 Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::65aa:deb0:a18e:d48d]) by AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::65aa:deb0:a18e:d48d%5]) with mapi id 15.20.7249.039; Thu, 8 Feb 2024 15:15:32 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 8 Feb 2024 16:17:19 +0100 Message-ID: X-Mailer: git-send-email 2.34.1 X-TMN: [sVDxDOw4Bfx6KRzE0eGQsBvBqzOdLyCEdcljW7YZGTc=] X-ClientProxiedBy: FR3P281CA0021.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1c::11) To AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) X-Microsoft-Original-Message-ID: <20240208151721.478215-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P250MB0744:EE_|AS8P250MB0165:EE_ X-MS-Office365-Filtering-Correlation-Id: cad60e49-a148-48e5-0350-08dc28b8cb15 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tn7fOxnssp7RiuxHtNXqrrc0hsRK5evE1FLMMBg+UpIjesCOflF2EdTpePy4iMQTXPVnWIcSkcqgsFXQ89z+2Q0bnGRO3O3PECVqkVSTh6lTlexrFsx/ibuxbVUJRfn/XRQj7lhwPOMggdPR5J9NioHk4Eh0Zs/Ff+pkRIE5+GD70baO82SXOJlFa8cymnvhThI7kI5KO/+9MmtMMsFo2JS0TwE+6EkWXERVchIw8D96s7tSbSPk1iSN1TM1oYbwumuAezgct2xWTOkA6N9rKCUZa/6qHOiC/bmcyPZrxXnT1RGhT9452mRgx2+FTuZUBqP1wmgX47Z2PVKV3pU14dl6zrMjJsJtO3FfdrFPwLamP3O5OEt0bGNCjSnLUrmQBoxO0tM4wBDLWjBU3s88I1PDdW+Zqcfsx7cMaAlaGY+aL+Ev5gMki6d68kcI4hNRFGNN3Lf0sQLnsgeazJzzuyP6wh7qdj3KJ88+sTlISlgQkwkfbNDz6pA1+3xAqxY90AZwiU67zUe1YvOAq/pDgh3SzLQ/0gqMg8SL/MCZJKaw6ilWOr4d7yPyUnpNcssRzZ1851iKjIWj5Pizo54iT8HSdJZ5cT+viJYOzdGSgjQZ5r5bYNcd+GksPNPB/CN3 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2W7O3GPXxrGgJr55YFoYTfupcA3t0kSyqCjnNcF+1o1naEBxKkd6p2oWj80R0rzqk8tMN/C/CGApWkV3hiOnboAscj1nFqglMPeQC0bsi2h/i4prT3OHmnZVgtks6BfrKzEErfGWj7a07f0pY7Wa+rcUmYMTriaiNZz9PjsZADWrpSZfFhziobTcpUaWVYYemEuA1D9+5x1fb38vfrO3p70Lo/5/VWpThYBf3Ezoe7hLNtosM2co6ZdIn2iqQr/0zVZfICrJPP28JurspVYfQBvM9Phprx3HhZlYE1n2Rc/4VDnn7QBEHsWezceQou2xAUYS061h9LF3vAlQrcYUZ1ub2elw/UgpcbN7qc3xOHeIlnhk7vrFdWQJBWC+SoYajwcySoCQmtr5KyoUzxZwutdwUGQm42+ye/aI7YjpTOIx/uKKpQ03I6ImFWVoLMchpi6jXIEULc6+6hiyid8wvJNQgvcEM3bg9n9SkgJPMdh9Ajess1g9qVjNf6hk9/F8aJCJ9HnPQmRg8MXKB4XSV2H5712luDyTJLUQJ2hzUIde35XCIAQvX/406t95w/Ew15eqQDuJVDxsUM37IVD4KpfFlGlPAX1tvsdSrDcqicwg7tNFx7KPQvpw4SS53il27Je8iOh7OL0SDiXjyfOEkf4niIUhcSbjRV3JtYReiljB2jQD1hnQTPfEr+x3wVDHRSlvjIOWm7XFy1ygKor/XDRcyUgYHCwoIMCXScV+Lm19z+jjYYYNYqe/CgpvG/+DySWalIdTDDqAbr4IHM93fGaRt/OAw1U9BcEDjFKJ71Di4julgnZ4A+u7OlLGqSmvV7PXG1DqhbfHJ3ALE1Sl2nLhhxOZHn6BEY+W6hGV4c05YHwodWhxoDj9900znwCkoNIuguDb4lxW2IcBm8a5f3022sleINyeOD+XNhfbO4+Vs1dytPjL5eNqu09N0/6PQMjr3vz5wP1uRMNmt+lwVI3dz/EehfzI3ercUzdBaUwxLWS1BjsUVwot4+en95mQPtu520f8hHVWEll2uCv7wagWyF+JsEav9JT1mAtsWnVNm85u59m6Vp8lb6NgMkZ43Gdn2t2hfAJAFcWcqMyg4N9tNIPshF81sVprsBBvK5UZDQQFFJGwqOBRxe91FjYiWTs4ljspIXFROKtrTbZ0h0SQl9dP9UtSHL7YPZcgAhsnT6L9O1KmaqCaR3k5puKbxb1DvEsYtmCHZmQSdNzhCaG6nnDTY6828eTJ5Ta/Owl5VyHbFcOBsdu+asXA9+FJ X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: cad60e49-a148-48e5-0350-08dc28b8cb15 X-MS-Exchange-CrossTenant-AuthSource: AS8P250MB0744.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Feb 2024 15:15:32.8135 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P250MB0165 Subject: [FFmpeg-devel] [PATCH v2 1/3] avformat/rcwtenc: Fix potential out-of-bounds write X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Brrj5VFGK6/A The rcwt muxer uses several counters for how much data it has already cached: One byte counter and one counter for how many complete blocks (of three bytes each). These counters can become inconsistent when the muxer is fed incomplete blocks as the muxer presumes that it is about to write a new block at the start of each write_packet call. E.g. sending 65535*3+1 1-byte packets (with data[0] e.g. 0x03) will trigger an out-of-bounds write. This patch fixes this by processing the data in complete blocks only. This also allows to simplify the code, e.g. to remove one of the counters. Signed-off-by: Andreas Rheinhardt --- Now using RCWT_BLOCK_SIZE where it makes sense. The other two patches are unchanged and therefore not sent. libavformat/rcwtenc.c | 38 +++++++++++--------------------------- 1 file changed, 11 insertions(+), 27 deletions(-) diff --git a/libavformat/rcwtenc.c b/libavformat/rcwtenc.c index 839436ce84..1becef5f48 100644 --- a/libavformat/rcwtenc.c +++ b/libavformat/rcwtenc.c @@ -65,7 +65,6 @@ #define RCWT_BLOCK_SIZE 3 typedef struct RCWTContext { - int cluster_nb_blocks; int cluster_pos; int64_t cluster_pts; uint8_t cluster_buf[RCWT_CLUSTER_MAX_BLOCKS * RCWT_BLOCK_SIZE]; @@ -75,7 +74,6 @@ static void rcwt_init_cluster(AVFormatContext *avf) { RCWTContext *rcwt = avf->priv_data; - rcwt->cluster_nb_blocks = 0; rcwt->cluster_pos = 0; rcwt->cluster_pts = AV_NOPTS_VALUE; memset(rcwt->cluster_buf, 0, sizeof(rcwt->cluster_buf)); @@ -85,10 +83,10 @@ static void rcwt_flush_cluster(AVFormatContext *avf) { RCWTContext *rcwt = avf->priv_data; - if (rcwt->cluster_nb_blocks > 0) { + if (rcwt->cluster_pos > 0) { avio_wl64(avf->pb, rcwt->cluster_pts); - avio_wl16(avf->pb, rcwt->cluster_nb_blocks); - avio_write(avf->pb, rcwt->cluster_buf, (rcwt->cluster_nb_blocks * RCWT_BLOCK_SIZE)); + avio_wl16(avf->pb, rcwt->cluster_pos / RCWT_BLOCK_SIZE); + avio_write(avf->pb, rcwt->cluster_buf, rcwt->cluster_pos); } rcwt_init_cluster(avf); @@ -129,10 +127,7 @@ static int rcwt_write_packet(AVFormatContext *avf, AVPacket *pkt) { RCWTContext *rcwt = avf->priv_data; - int in_block = 0; - int nb_block_bytes = 0; - - if (pkt->size == 0) + if (pkt->size < RCWT_BLOCK_SIZE) return 0; /* new PTS, new cluster */ @@ -146,11 +141,11 @@ static int rcwt_write_packet(AVFormatContext *avf, AVPacket *pkt) return 0; } - for (int i = 0; i < pkt->size; i++) { + for (int i = 0; i <= pkt->size - RCWT_BLOCK_SIZE;) { uint8_t cc_valid; uint8_t cc_type; - if (rcwt->cluster_nb_blocks == RCWT_CLUSTER_MAX_BLOCKS) { + if (rcwt->cluster_pos == RCWT_CLUSTER_MAX_BLOCKS * RCWT_BLOCK_SIZE) { av_log(avf, AV_LOG_WARNING, "Starting new cluster due to size\n"); rcwt_flush_cluster(avf); } @@ -158,25 +153,14 @@ static int rcwt_write_packet(AVFormatContext *avf, AVPacket *pkt) cc_valid = (pkt->data[i] & 0x04) >> 2; cc_type = pkt->data[i] & 0x03; - if (!in_block && !(cc_valid || cc_type == 3)) - continue; - - memcpy(&rcwt->cluster_buf[rcwt->cluster_pos], &pkt->data[i], 1); - rcwt->cluster_pos++; - - if (!in_block) { - in_block = 1; - nb_block_bytes = 1; + if (!(cc_valid || cc_type == 3)) { + i++; continue; } - nb_block_bytes++; - - if (nb_block_bytes == RCWT_BLOCK_SIZE) { - in_block = 0; - nb_block_bytes = 0; - rcwt->cluster_nb_blocks++; - } + memcpy(&rcwt->cluster_buf[rcwt->cluster_pos], &pkt->data[i], 3); + rcwt->cluster_pos += 3; + i += 3; } return 0;