From patchwork Tue Feb  7 23:46:02 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Wolenetz <wolenetz@chromium.org>
X-Patchwork-Id: 2446
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.89.21 with SMTP id n21csp2509971vsb;
	Tue, 7 Feb 2017 15:53:00 -0800 (PST)
X-Received: by 10.223.129.4 with SMTP id 4mr19779467wrm.27.1486511580606;
	Tue, 07 Feb 2017 15:53:00 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id 57si6952959wrv.17.2017.02.07.15.52.59;
	Tue, 07 Feb 2017 15:53:00 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@chromium.org;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 12DA968981B;
	Wed,  8 Feb 2017 01:52:54 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com
	[74.125.82.41])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A70A6689755
	for <ffmpeg-devel@ffmpeg.org>; Wed,  8 Feb 2017 01:52:47 +0200 (EET)
Received: by mail-wm0-f41.google.com with SMTP id v77so175599053wmv.0
	for <ffmpeg-devel@ffmpeg.org>; Tue, 07 Feb 2017 15:52:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=mime-version:reply-to:in-reply-to:references:from:date:message-id
	:subject:to; bh=4WyDsqu/T20SdHyG8aq77MLajB4KGVg1K1EuMvSzlyo=;
	b=Ti/VaVJmjn/h7f7kW8g72SgpbQt+3dBc228ejp6UFetDoFCvHPADpspVo9AvTWLVb3
	zYxKr0HuI3mOheii2G+5TLDxL4E3Qc/yVA19BPsjZOX/YyMFa4ZVgXr2HnT4JcZ8hpIm
	b/WxDs2lTiUpty0Z4Xf6kmyrr6ICpBLoTRmUw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:reply-to:in-reply-to:references
	:from:date:message-id:subject:to;
	bh=4WyDsqu/T20SdHyG8aq77MLajB4KGVg1K1EuMvSzlyo=;
	b=CzNKy8+E2k8RBAUz4egz+MYnu0eFJ2gjweNaHL14c76w5TVCfV4DiiHApe2toeujig
	aH1esgMvIMPlGptajoRfJ/1d+7uDhNFdBsppB5l+5w6Bti7DhjsC8ueLt6V1v2CtgiPK
	CSFI/pdUCtRP128O56WF7mr6JXjEV3s7ZKpWEm4dn1FNotU5reaMpec3anNsMb7dlINK
	GIbeBHCmVStnr1mAjFxmVzWEkLDf6wmmDCqXdq01suYyBIsghia4/152UoOcr7CtqiCw
	M1AtDbeBJgcqHzbiYkKoZ3Ob480YP8FqExomqqzpmtQkMa8JzvO6W6EyzVTWpCVeQRjn
	iYSQ==
X-Gm-Message-State: 
 AMke39knjcAnkqPlSirXimUg1uFPThJyZtxmmGvi+vPa/50rVcqaRPfPvM1G25wEWdw0bQ/R
X-Received: by 10.28.103.3 with SMTP id b3mr14082485wmc.99.1486511204375;
	Tue, 07 Feb 2017 15:46:44 -0800 (PST)
Received: from mail-wr0-f174.google.com (mail-wr0-f174.google.com.
	[209.85.128.174]) by smtp.gmail.com with ESMTPSA id
	i73sm218654wmd.11.2017.02.07.15.46.43 for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 07 Feb 2017 15:46:43 -0800 (PST)
Received: by mail-wr0-f174.google.com with SMTP id 89so48092848wrr.2
	for <ffmpeg-devel@ffmpeg.org>; Tue, 07 Feb 2017 15:46:43 -0800 (PST)
X-Received: by 10.223.177.134 with SMTP id q6mr15989505wra.83.1486511203007;
	Tue, 07 Feb 2017 15:46:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.74.220 with HTTP; Tue, 7 Feb 2017 15:46:02 -0800 (PST)
In-Reply-To: <6305de4a-4bb9-4566-3308-32259999efbc@googlemail.com>
References: 
 <CAADho6Mv96M5rSJw0y_Qf1E-v1dNxR=6KCM2cq5Gca05W8sR6g@mail.gmail.com>
	<4c1c671a-46e7-1c2f-9dec-c70d6992ccbd@googlemail.com>
	<bb696de1-d6e8-3140-833c-1d9d2c3965ac@gmail.com>
	<6305de4a-4bb9-4566-3308-32259999efbc@googlemail.com>
From: Matthew Wolenetz <wolenetz@chromium.org>
Date: Tue, 7 Feb 2017 15:46:02 -0800
X-Gmail-Original-Message-ID: 
 <CAADho6P6wsrcThee66f+nGFUWUmMnYhxfs=MMCTtC4w3wHX4Sw@mail.gmail.com>
Message-ID: 
 <CAADho6P6wsrcThee66f+nGFUWUmMnYhxfs=MMCTtC4w3wHX4Sw@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: Re: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap
	in mov_read_hdlr
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Updated to SIZE_MAX. Thank you for your comments.


On Thu, Dec 15, 2016 at 5:23 PM, Andreas Cadhalpun <
andreas.cadhalpun@googlemail.com> wrote:

> On 15.12.2016 03:25, James Almer wrote:
> > On 12/14/2016 10:39 PM, Andreas Cadhalpun wrote:
> >> On 15.12.2016 00:34, Matthew Wolenetz wrote:
> >>>
> >>> From fd878457cd55690d4a27d74411b68a30c9fb2313 Mon Sep 17 00:00:00 2001
> >>> From: Matt Wolenetz <wolenetz@chromium.org>
> >>> Date: Fri, 2 Dec 2016 18:10:39 -0800
> >>> Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in
> mov_read_hdlr
> >>>
> >>> Core of patch is from paul@paulmehta.com
> >>> Reference https://crbug.com/643950
> >>> ---
> >>>  libavformat/mov.c | 2 ++
> >>>  1 file changed, 2 insertions(+)
> >>>
> >>> diff --git a/libavformat/mov.c b/libavformat/mov.c
> >>> index 2a69890..7254505 100644
> >>> --- a/libavformat/mov.c
> >>> +++ b/libavformat/mov.c
> >>> @@ -739,6 +739,8 @@ static int mov_read_hdlr(MOVContext *c,
> AVIOContext *pb, MOVAtom atom)
> >>>
> >>>      title_size = atom.size - 24;
> >>>      if (title_size > 0) {
> >>> +        if (title_size >= UINT_MAX)
> >>
> >> I think this should use SIZE_MAX.
> >
> > title_size is int64_t and SIZE_MAX is UINT64_MAX on x86_64.
>
> Yes, but the argument of av_malloc is size_t.
>
> >>
> >>> +            return AVERROR_INVALIDDATA;
> >>>          title_str = av_malloc(title_size + 1); /* Add null terminator
> */
>
> So this should cast the argument to size_t to fix the issue on x86_64:
>           title_str = av_malloc((size_t)title_size + 1); /* Add null
> terminator */
>
> Best regards,
> Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

From 9ce997c0cc31b3609031590b57e64587acc2aa87 Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@google.com>
Date: Wed, 14 Dec 2016 15:24:42 -0800
Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6fd43a0a4e..4b86e0fd36 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -742,6 +742,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     title_size = atom.size - 24;
     if (title_size > 0) {
+        if (title_size >= SIZE_MAX)
+            return AVERROR_INVALIDDATA;
         title_str = av_malloc(title_size + 1); /* Add null terminator */
         if (!title_str)
             return AVERROR(ENOMEM);
-- 
2.11.0.483.g087da7b7c-goog