From patchwork Wed Nov 1 14:25:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Carl Eugen Hoyos X-Patchwork-Id: 5811 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.2.161.90 with SMTP id m26csp837656jah; Wed, 1 Nov 2017 07:26:13 -0700 (PDT) X-Google-Smtp-Source: ABhQp+Qt/0HhdlHNVfANtCBCrZASlap9lW3eojQGWtIY0YcPsFBuiVhGf2YX1zneQARLoUg9VI8g X-Received: by 10.28.7.78 with SMTP id 75mr383145wmh.31.1509546373511; Wed, 01 Nov 2017 07:26:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509546373; cv=none; d=google.com; s=arc-20160816; b=ZZ6bAmOvT84pgchylOpI8VkkaDlKeF5fbppzwWC7js0n4XOu+GP1OmXd/7rQZbO+WO fbN/bOqyvUbGo2esOFOwrjaPvEd/wf/2UVmQT+lQY/64bAtdNMPMaO3fZasoLP83o3As cBLgDWu9zvzBJTWXeEP4tipauke1JcfYHUa/6UF11D1cou+4AaMgHJ18mYNf+uV36L7v 10BczCG/BHGADZqzk/5VMsNxAqK4UxFlGmDZj+KwtDfjPp4XwD0MXUOqZGkf6NCqXcOA wt//YDQcqCIGRgW/UFh6vXJK2TFqFacytkwmNdZF2C2dwL30hp0WUonDPKsT1c9bvmlN cXLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:mime-version:dkim-signature:delivered-to :arc-authentication-results; bh=B+b/jnYWn7W18eaG4d6rZcIp4gKvAMfsDsrXbFRq5HU=; b=K6swnYFeFL5NRN0hvzYbxfPWQ3onI2OudlNpkXI0ajJv0M+WlDGT+JbSOLix+ceZSl mPj2eVLI/qlyUhDMIuhcGOyhWgZxiTv+6sVoF8L3zcQzSQKLoHSRJv01BUoExOtsP/eA uGMJ9O3ooxV2zGmn51QB2OUrnUQmFGm244Gp6uDiOZiX0UsGnz9PBEItns0dUtZDJdn2 SUrWOsW5uQwzLBaqjs6dA9aR8/1Jz5ry6h8jr+sA5h6QugdkVa9oou1UODOHrreDFufS vpQht1jnTj0vzsLhWXRHh9arEzAGTCtoVpuhG+ttjUC8AkbeQkPg/HedfEwO8ORCnHPI rQ0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=vc/sB6ov; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id p18si673845wrh.310.2017.11.01.07.26.13; Wed, 01 Nov 2017 07:26:13 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=vc/sB6ov; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5254268A183; Wed, 1 Nov 2017 16:26:02 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-io0-f182.google.com (mail-io0-f182.google.com [209.85.223.182]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 142C6689F3F for ; Wed, 1 Nov 2017 16:25:56 +0200 (EET) Received: by mail-io0-f182.google.com with SMTP id m81so6349487ioi.13 for ; Wed, 01 Nov 2017 07:26:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=FELq0krfOR3NCGAKix2fKldqUd/koC5cyxmLJy2RgPw=; b=vc/sB6ovip1QY+E3I7CsGC+Mfs51fICC4RZpc2+PjuFYfVlFgaesvHHDzf0A7CMUEd RAC192nojicXmuZp2RdPhxUonMGv46nHfjKixTY6b8M3Xisg6YZV/pctFO5t+sKgmwQl bXshoc0ygaJ3hE/XANI/cua15z0QHRdF29HZFnSvBdmU0qFfy3MYO8FopV8fINzhgdQX Wp+3dOZUyT2y2yjWKHsUzFTEAqkmhONT90L1KqTuXFAvCeHvRO9+/FYFmqIguEPDxj5m cIjz9TKZbr9pkX8u5fJXgT2nG24Blb85Bf/C03je7WkygxnuCV+PrAfZQZEOd/vTOADG RH3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=FELq0krfOR3NCGAKix2fKldqUd/koC5cyxmLJy2RgPw=; b=VFl9M4TbPkQHMEVoA+EWtlT176VWQyoycFpF6BpYe0kOK1wssZpN5rSDbCDbnp18qn sfk4NZlnVmhyDOTZ5AOuePIoJbqnrbMzjgABhT/4FiMKVuArWip2Qa+TFdtqwNqUxdvY Roca9vAhCWWvedkRaIaCspGNTWzzrcRsXUy04+JHNdLJIR/aEjqgV+n4JKTwWjf1GLfI 1lKYRqBi1fImlIlgtRJXFqPOrGIA55rBiiQdQVuTxoMMJ3SDrhAbbrEz6ljlrABy8/Db m2hr3ONPbliVYnU16doiwwJm1G8GXdzr05vWRaMQZ6WSHImfqqBQG5PgnVYuR15DNycI omtA== X-Gm-Message-State: AMCzsaViD+95teP6SLKH1V+USwEcjnzPJVaOxPm9HYYZsr1gaLpf+pM3 jFgufFi17eSCj27nd5vGl8ZyPlAYFZa3LutZqfI= X-Received: by 10.107.178.81 with SMTP id b78mr7096679iof.235.1509546365152; Wed, 01 Nov 2017 07:26:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.63.101 with HTTP; Wed, 1 Nov 2017 07:25:44 -0700 (PDT) From: Carl Eugen Hoyos Date: Wed, 1 Nov 2017 15:25:44 +0100 Message-ID: To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH]lavc/alac: Avoid allocating huge memory blocks for malicious alac input. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Hi! It appears to me that the alac decoder can be used for DoS, the attached patch limits the maximum frame size to eight times the default value. (Higher values brake our encoder here.) Please comment and / or suggest another value, Carl Eugen From c2181c7ee83fcf93ba817cf6f9c3c9e1043a233c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 1 Nov 2017 15:14:22 +0100 Subject: [PATCH] lavc/alac: Avoid allocating huge memory blocks for malicious alac input. --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index d6bd21b..66bee7f 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -524,7 +524,7 @@ static int alac_set_info(ALACContext *alac) alac->max_samples_per_frame = bytestream2_get_be32u(&gb); if (!alac->max_samples_per_frame || - alac->max_samples_per_frame > INT_MAX / sizeof(int32_t)) { + alac->max_samples_per_frame > 4096 * 16) { av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %"PRIu32"\n", alac->max_samples_per_frame); -- 1.7.10.4