From patchwork Thu Jul 25 23:09:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wolenetz X-Patchwork-Id: 14071 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 16BEE449D8A for ; Fri, 26 Jul 2019 02:10:21 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E574F68AAD8; Fri, 26 Jul 2019 02:10:20 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-yb1-f169.google.com (mail-yb1-f169.google.com [209.85.219.169]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0D1A568AA53 for ; Fri, 26 Jul 2019 02:10:15 +0300 (EEST) Received: by mail-yb1-f169.google.com with SMTP id j6so10513847ybm.7 for ; Thu, 25 Jul 2019 16:10:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:reply-to:from:date:message-id:subject:to; bh=FcGWgDsfhSo4IyFVzxHgmnfjKAP2edVoKTHdycbexkI=; b=KaxD1/RjYL6yIEzN/dM6NNm02ZtVas6qpCSCcASx4xwqszqDIN/Gpa75JC93WiBlN6 rlVHxdtD5QhJbm9gHwlz4/QSgytQHnGhcQZL/ZJPJJWi48YKp8LL/LcuVtNg3ThXP319 8q9JJoyPctSdRUa2NcI9cAeNrONO9wLETq7AY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=FcGWgDsfhSo4IyFVzxHgmnfjKAP2edVoKTHdycbexkI=; b=axF3WeChzNNbezBgjEHcC6IXCTdAIZJ+T0Qm3CejvAeG34mGKBAS8UwWR0zXxah2JC TK/Lah4WoVUJEXrgvGvYlh1y+Vg46Y02ir3+WXT8tCp33nTnDA05uEepBLvXjf+qSrPi AOecFbsbulW0LoaYl8tDLhi40TER3LNZdo/sRz77JM5EbfKwbpo96EOhwXUHZ3fhUd3p XVg8rlmEgQWST/WdWnmNpaZLcDlcvsG9umVpVEopdmiYdgbPsrewuC6IunCV7+0iUVk4 HQMFruZu6HpoVCr2oT6dOuTvn7lsH61F1WEdCGWEeyerTMzuUCpccY6NZG9pxVOGENva 10YA== X-Gm-Message-State: APjAAAWMNJM4AdLyk78dcCv8RkeaNKczesPik4Ftk2mMYEjU9+TaEX64 wW+2DK5lQ4twjMyKeiV6KGDy2Y/V5js= X-Google-Smtp-Source: APXvYqyYQjRFk1qjcEtckTcpk5kA5b2aerRFgTGLFJbf93uFlTOyrIQAlDJ/5OgcBx+UbKKX2Q1ABQ== X-Received: by 2002:a25:4207:: with SMTP id p7mr4087427yba.326.1564096213148; Thu, 25 Jul 2019 16:10:13 -0700 (PDT) Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com. [209.85.219.178]) by smtp.gmail.com with ESMTPSA id r19sm14237804ywa.109.2019.07.25.16.10.12 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2019 16:10:12 -0700 (PDT) Received: by mail-yb1-f178.google.com with SMTP id y123so15997523yby.10 for ; Thu, 25 Jul 2019 16:10:12 -0700 (PDT) X-Received: by 2002:a25:d64d:: with SMTP id n74mr56031653ybg.486.1564096211737; Thu, 25 Jul 2019 16:10:11 -0700 (PDT) MIME-Version: 1.0 From: Matthew Wolenetz Date: Thu, 25 Jul 2019 16:09:35 -0700 X-Gmail-Original-Message-ID: Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [PATCH] lafv/wavdec: Fail bext parsing on incomplete reads X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" From 7966786250d9581891e0859f769a63f35a5c2729 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Thu, 25 Jul 2019 15:54:49 -0700 Subject: [PATCH] lafv/wavdec: Fail bext parsing on incomplete reads avio_read can successfully return even when less than the requested amount of input was read. wavdec's bext parsing mistakenly assumed a successful avio_read always read the full amount that was requested. The result could be dictionary tags populated with partially uninitialized values. This change also fixes a broken assertion in wav_parse_bext_string that was off-by-one, though no known current usage of that method hits that broken case. Chromium bug: 987270 Signed-off-by: Matt Wolenetz --- libavformat/wavdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1b131ee2c1..684efd97f9 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -233,9 +233,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key, char temp[257]; int ret; - av_assert0(length <= sizeof(temp)); - if ((ret = avio_read(s->pb, temp, length)) < 0) - return ret; + av_assert0(length < sizeof(temp)); + if ((ret = avio_read(s->pb, temp, length)) != length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; temp[length] = 0; @@ -304,8 +304,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) if (!(coding_history = av_malloc(size + 1))) return AVERROR(ENOMEM); - if ((ret = avio_read(s->pb, coding_history, size)) < 0) - return ret; + if ((ret = avio_read(s->pb, coding_history, size)) != size) { + av_free(coding_history); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } coding_history[size] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, -- 2.22.0.709.g102302147b-goog