Message ID | CACHq7jeeSwW-uRcqQKdLB+fyBwOEANRFLtjwrUpnp0LC5_fP8A@mail.gmail.com |
---|---|
State | Superseded |
Headers | show |
Think i messed up the formatting of the in-line patch somehow. Ill send the patch as an attachment instead. Hope reply and attach is ok? On Sun, Oct 27, 2019 at 8:22 PM Mattias Wadman <mattias.wadman@gmail.com> wrote: > A too big picture will case the muxer to write a truncated block size > (uint24) > causing the output file to be corrupt. > > How to reproduce: > > Write a file with truncated block size: > ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 > -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac > > Try to decode: > ffmpeg -i test.flac test.wav > > Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> > --- > libavformat/flacenc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git libavformat/flacenc.c libavformat/flacenc.c > index 93cc79bbe0..957bcb1123 100644 > --- libavformat/flacenc.c > +++ libavformat/flacenc.c > @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, > AVPacket *pkt) > AVDictionaryEntry *e; > const char *mimetype = NULL, *desc = ""; > const AVStream *st = s->streams[pkt->stream_index]; > - int i, mimelen, desclen, type = 0; > + int i, mimelen, desclen, type = 0, blocklen = 0; > > if (!pkt->data) > return 0; > @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext > *s, AVPacket *pkt) > desc = e->value; > desclen = strlen(desc); > > + blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + > pkt->size; > + if (blocklen >= 1<<24) { > + av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", > blocklen, 1<<24); > + return AVERROR(EINVAL); > + } > + > avio_w8(pb, 0x06); > - avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + > pkt->size); > + avio_wb24(pb, blocklen); > > avio_wb32(pb, type); > > -- > 2.22.0 >
On Sun, Oct 27, 2019 at 10:06:11PM +0100, Mattias Wadman wrote: > Think i messed up the formatting of the in-line patch somehow. Ill send the > patch as an attachment instead. Hope reply and attach is ok? > > On Sun, Oct 27, 2019 at 8:22 PM Mattias Wadman <mattias.wadman@gmail.com> > wrote: > > > A too big picture will case the muxer to write a truncated block size > > (uint24) > > causing the output file to be corrupt. > > > > How to reproduce: > > > > Write a file with truncated block size: > > ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 > > -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac > > > > Try to decode: > > ffmpeg -i test.flac test.wav > > > > Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> > > --- > > libavformat/flacenc.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > diff --git libavformat/flacenc.c libavformat/flacenc.c > > index 93cc79bbe0..957bcb1123 100644 > > --- libavformat/flacenc.c > > +++ libavformat/flacenc.c > > @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, > > AVPacket *pkt) > > AVDictionaryEntry *e; > > const char *mimetype = NULL, *desc = ""; > > const AVStream *st = s->streams[pkt->stream_index]; > > - int i, mimelen, desclen, type = 0; > > + int i, mimelen, desclen, type = 0, blocklen = 0; > > > > if (!pkt->data) > > return 0; > > @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext > > *s, AVPacket *pkt) > > desc = e->value; > > desclen = strlen(desc); > > > > + blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + > > pkt->size; > > + if (blocklen >= 1<<24) { > > + av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", > > blocklen, 1<<24); > > + return AVERROR(EINVAL); > > + } > > + > > avio_w8(pb, 0x06); > > - avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + > > pkt->size); > > + avio_wb24(pb, blocklen); > > > > avio_wb32(pb, type); > > > > -- > > 2.22.0 > > > flacenc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > 4b8ce8290f9727383c669467ba5c8358ac12b156 0001-libavformat-flacenc-reject-too-large-picture-blocks.patch > From ea7cfb4fde056fbfdc9c7970453176281a16df27 Mon Sep 17 00:00:00 2001 > From: Mattias Wadman <mattias.wadman@gmail.com> > Date: Sun, 27 Oct 2019 20:00:06 +0100 > Subject: [PATCH] libavformat/flacenc: reject too large picture blocks > > A large picture will case the muxer to write a truncated block size (uint24) > causing the output file to be corrupt. > > How to reproduce: > > Write a file with truncated block size: > ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac > > Try to decode: > ffmpeg -i test.flac test.wav > > Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> > --- > libavformat/flacenc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git libavformat/flacenc.c libavformat/flacenc.c > index 93cc79bbe0..957bcb1123 100644 > --- libavformat/flacenc.c > +++ libavformat/flacenc.c > @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) > AVDictionaryEntry *e; > const char *mimetype = NULL, *desc = ""; > const AVStream *st = s->streams[pkt->stream_index]; > - int i, mimelen, desclen, type = 0; > + int i, mimelen, desclen, type = 0, blocklen = 0; The initialization to 0 is useless [...]
diff --git libavformat/flacenc.c libavformat/flacenc.c index 93cc79bbe0..957bcb1123 100644 --- libavformat/flacenc.c +++ libavformat/flacenc.c @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) AVDictionaryEntry *e; const char *mimetype = NULL, *desc = ""; const AVStream *st = s->streams[pkt->stream_index]; - int i, mimelen, desclen, type = 0; + int i, mimelen, desclen, type = 0, blocklen = 0; if (!pkt->data)
A too big picture will case the muxer to write a truncated block size (uint24) causing the output file to be corrupt. How to reproduce: Write a file with truncated block size: ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac Try to decode: ffmpeg -i test.flac test.wav Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> --- libavformat/flacenc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) return 0; @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) desc = e->value; desclen = strlen(desc); + blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size; + if (blocklen >= 1<<24) { + av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", blocklen, 1<<24); + return AVERROR(EINVAL); + } + avio_w8(pb, 0x06); - avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size); + avio_wb24(pb, blocklen); avio_wb32(pb, type); -- 2.22.0