From patchwork Wed Feb 8 00:09:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wolenetz X-Patchwork-Id: 2447 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.89.21 with SMTP id n21csp2517943vsb; Tue, 7 Feb 2017 16:18:21 -0800 (PST) X-Received: by 10.223.150.84 with SMTP id c20mr16357081wra.178.1486513101404; Tue, 07 Feb 2017 16:18:21 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b26si6963423wra.300.2017.02.07.16.18.20; Tue, 07 Feb 2017 16:18:21 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6DE11689817; Wed, 8 Feb 2017 02:18:15 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr0-f177.google.com (mail-wr0-f177.google.com [209.85.128.177]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 04BE2689817 for ; Wed, 8 Feb 2017 02:18:08 +0200 (EET) Received: by mail-wr0-f177.google.com with SMTP id i10so48615166wrb.0 for ; Tue, 07 Feb 2017 16:18:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to; bh=cMNYnNGSBKMt1SLBH+3pji7B4aTQw9CZnQ9Vv0s5H5w=; b=i5QGHDEIkLtAPX5B+X1rb9mYWaN4ZNNiIjTSTbk9FqdEPU3E+qQbJ+jmIuXrcmAqXt GL0HZWFrt9BBok7T/7lOaQh0V0BbH3gwBRsi1M5g0B6Wx/JwuNbYuskuL61pefgOrepe M21iA3XsQhxtPzMjCGCzVNePWWLEMPRkQm2ic= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to; bh=cMNYnNGSBKMt1SLBH+3pji7B4aTQw9CZnQ9Vv0s5H5w=; b=R7XhTmOBm6eZ68CvyYZVjgBomSn8XMyUXbwTFj4hpn2pi5vTfkKA8W78LGMfMrw4RH 8/n4N6s8t48kC25CplpTQbMdDra8hKmgGMkMq1n1NfL0cC5ygv3BPS5eiAD7Cubx824T fXKMCM1+l//amYzQAmzoIeDX2xuakcck9ga37KqSI4If9jKwQwMDBSYgx88JVdl3GUw8 +3Ihau0UwBZn201m5ibvueqPu0jxDzviNaEHJPdJZfhstyuc2sTtP3yC9kDrGVU6BATA QRrkAfCO1XX8vSgrv7fLGHp8Txm3bAq6f4inxVDZildosQ3njdcUAiCVcvrslRbSKmrG aIFg== X-Gm-Message-State: AIkVDXI3J6RqmskxNXBDiBgxIeGtOIOSdn6NOxyjlGtKZSaHwwirb4q/UK5U/ITHAhjqEurj X-Received: by 10.223.135.69 with SMTP id 5mr18144274wrz.174.1486512597577; Tue, 07 Feb 2017 16:09:57 -0800 (PST) Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com. [74.125.82.53]) by smtp.gmail.com with ESMTPSA id 8sm5916251wmg.1.2017.02.07.16.09.56 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Feb 2017 16:09:56 -0800 (PST) Received: by mail-wm0-f53.google.com with SMTP id r141so172243289wmg.1 for ; Tue, 07 Feb 2017 16:09:56 -0800 (PST) X-Received: by 10.28.4.10 with SMTP id 10mr16601682wme.142.1486512596175; Tue, 07 Feb 2017 16:09:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.74.220 with HTTP; Tue, 7 Feb 2017 16:09:15 -0800 (PST) In-Reply-To: References: From: Matthew Wolenetz Date: Tue, 7 Feb 2017 16:09:15 -0800 X-Gmail-Original-Message-ID: Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: Re: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Updated to SIZE_MAX. Thank you for your comments. On Wed, Dec 14, 2016 at 5:39 PM, Andreas Cadhalpun < andreas.cadhalpun@googlemail.com> wrote: > On 15.12.2016 00:36, Matthew Wolenetz wrote: > > From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001 > > From: Matt Wolenetz > > Date: Tue, 6 Dec 2016 12:33:08 -0800 > > Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid > > > > Core of patch is from paul@paulmehta.com > > Reference https://crbug.com/643951 > > --- > > libavformat/mov.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index 7254505..e506d20 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c, > AVIOContext *pb, MOVAtom atom) > > } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) { > > uint8_t *buffer; > > size_t len = atom.size - sizeof(uuid); > > + if (len >= UINT_MAX) > > This should also use SIZE_MAX. > > > + return AVERROR_INVALIDDATA; > > > > buffer = av_mallocz(len + 1); > > if (!buffer) { > > Best regards, > Andreas > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > From 1763ad5ae340e09081d8f50e867c2702cb5ec61e Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:26:19 -0800 Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid Core of patch is from paul@paulmehta.com Reference https://crbug.com/643951 Signed-off-by: Matt Wolenetz --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6fd43a0a4e..93aece510c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4849,6 +4849,8 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) uint8_t *buffer; size_t len = atom.size - sizeof(uuid); if (c->export_xmp) { + if (len >= SIZE_MAX) + return AVERROR_INVALIDDATA; buffer = av_mallocz(len + 1); if (!buffer) { return AVERROR(ENOMEM); -- 2.11.0.483.g087da7b7c-goog