From patchwork Wed Dec 14 23:37:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wolenetz X-Patchwork-Id: 1787 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.65.86 with SMTP id o83csp445216vsa; Wed, 14 Dec 2016 15:38:18 -0800 (PST) X-Received: by 10.28.107.77 with SMTP id g74mr9474239wmc.109.1481758698134; Wed, 14 Dec 2016 15:38:18 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id i128si9702858wme.137.2016.12.14.15.38.16; Wed, 14 Dec 2016 15:38:18 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 89EE668971E; Thu, 15 Dec 2016 01:38:09 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-it0-f49.google.com (mail-it0-f49.google.com [209.85.214.49]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 99BCD680CCC for ; Thu, 15 Dec 2016 01:38:03 +0200 (EET) Received: by mail-it0-f49.google.com with SMTP id c20so13066074itb.0 for ; Wed, 14 Dec 2016 15:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=eJBjb1JuBhLZcddC22IOi6BLrojiuA7SKDa/O8eYiXo=; b=Bm4SC9OpdPeu6+BdXoo+SKeKwvw2Whe8dJv4JUwnZfl05t1X/F8tIPYWZRkKl0LeH+ rqhXsKF2DvTJXRFAlxINpMIFrU9zYvKpdRMaF31a7ZpFa1e2o8BV6kr0Wr2lZV0oP6fR ZOMoDOtm60Oy4JXsTPzdw42yL3HXyr02JW7QbKz8I5VBtMEDtXhk2FVg96Jdm55eAhTG jpXiPPetCg5v/oDTksu7IojW64A5yF3zv9tZ3kFD2uqCfbVKRNSZXNHnAXuXT+hMI+Q7 tKF+mqCvP9Lw1eQmOg6Zxddabz6FFhR5ntn6l+zNUF3pD0fypPcP0xBr8fcDs2gA1Osp q1aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:from:date:message-id:subject:to; bh=eJBjb1JuBhLZcddC22IOi6BLrojiuA7SKDa/O8eYiXo=; b=Ni/Nhbwt7O5gtfv6NlvUdn5BC+infb0BLS9Ox9ynha6E+YRAu8+BNF3bLWJtdxgBY3 lVpGLWz8+LVUK884BZ1FTwD8plIc9RT4O4qI81ZQyqmdVyISI0PQDHcGzSDNNDrmAJ0o Dn8bwM35rXnGtPfkucdtuvtoGc+CiSUsgNEBw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=eJBjb1JuBhLZcddC22IOi6BLrojiuA7SKDa/O8eYiXo=; b=Crl6OsV2bUDlb/mU6OagaBhVLBECGlh/SwxqvUA7YvjHd/nX5Th+kxhusfRqQoOOqC O2plPh46M6D/iAw/yw6HVmlfED6vU7n72Nq42+xWPORAjTNQBROzsjAB/9z669+kIWty i3T9On6A6rA/GpedYaFsWyrQVBFYioFqfVPHjKdITuQyiHvxgw6qn9KS/nhSXlmP0kjK kdgb8fPwdGDk0sxCubwPjc34SHEjUVFjWES+y2Dx7SboDaRRB8Xg+EcLujBT0kRQRcuY O8lA9Lsr5lrcTv5XxaHK52jnc4xSD/mOVkJAsPPt3qK1uZVAvE0lA2misCDLhBphL5wD A6mg== X-Gm-Message-State: AKaTC0195g7S/gZVczxNUxNnUFcLYaZct1hRYanox/fuIl3Hj8JtjlaL6kqkE/Zwfvo2IKUN1vkkymH6vkPlYIbC X-Received: by 10.36.92.67 with SMTP id q64mr9938585itb.97.1481758688163; Wed, 14 Dec 2016 15:38:08 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a17:908:2cd5:0:0:0:0 with HTTP; Wed, 14 Dec 2016 15:37:27 -0800 (PST) From: Matthew Wolenetz Date: Wed, 14 Dec 2016 15:37:27 -0800 X-Google-Sender-Auth: AS0o3PfhNtJ-IwGSCMjSLAFhfTk Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wraps and OOB in mov_read_{senc, saiz, udta_string}() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 From 8622f9398e7c89a664c4c2ceff9d35b89ff17bb5 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Tue, 6 Dec 2016 12:54:23 -0800 Subject: [PATCH] lavf/mov.c: Avoid heap allocation wraps and OOB in mov_read_{senc,saiz,udta_string}() Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 --- libavformat/mov.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e506d20..87ad91a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -404,7 +404,7 @@ retry: return ret; } else if (!key && c->found_hdlr_mdta && c->meta_keys) { uint32_t index = AV_RB32(&atom.type); - if (index < c->meta_keys_count) { + if (index < c->meta_keys_count && index > 0) { key = c->meta_keys[index]; } else { av_log(c->fc, AV_LOG_WARNING, @@ -4502,8 +4502,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); /* entries */ - if (atom.size < 8) { - av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" too small\n", atom.size); + if (atom.size < 8 || atom.size > UINT_MAX) { + av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" invalid\n", atom.size); return AVERROR_INVALIDDATA; } @@ -4571,6 +4571,11 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } + if (atom.size > UINT_MAX) { + av_log(c->fc, AV_LOG_ERROR, "saiz atom auxiliary_info_sizes size %"PRId64" invalid\n", atom.size); + return AVERROR_INVALIDDATA; + } + /* save the auxiliary info sizes as is */ data_size = atom.size - atom_header_size; -- 2.8.0.rc3.226.g39d4020