From patchwork Wed Sep  7 21:38:48 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sergey Volk <servolk@chromium.org>
X-Patchwork-Id: 470
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.140.134 with SMTP id o128csp513213vsd;
	Wed, 7 Sep 2016 14:39:09 -0700 (PDT)
X-Received: by 10.28.50.199 with SMTP id y190mr6065098wmy.61.1473284349084;
	Wed, 07 Sep 2016 14:39:09 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	hv4si37602396wjb.279.2016.09.07.14.39.00;
	Wed, 07 Sep 2016 14:39:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com;
	dkim=neutral (body hash did not verify) header.i=@chromium.org;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE dis=NONE) header.from=chromium.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5D9CA68A0BE;
	Thu,  8 Sep 2016 00:38:48 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-it0-f44.google.com (mail-it0-f44.google.com
	[209.85.214.44])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 459AC68A08F
	for <ffmpeg-devel@ffmpeg.org>; Thu,  8 Sep 2016 00:38:41 +0300 (EEST)
Received: by mail-it0-f44.google.com with SMTP id e124so222223556ith.0
	for <ffmpeg-devel@ffmpeg.org>; Wed, 07 Sep 2016 14:38:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20120113;
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to; bh=CT2698BXZEkbAXha/MsclHNdldHHVoSsXoiRVVRhxfg=;
	b=hhya6KqYIFVRoTSgfVuVoLLmyjiMbTC6/TCpjQGtnTUZUcjjkqF7YSyQ/qY9RGaidb
	E0zhEkxZkWOSBHMlDrHvnbAODLCcCXaVmfW7ePA0JWbJgAadKYUrU85G/ZjTfYMmkycI
	FiIG8WqoyCi0eq5IKO2Q2SSuZaqLT9KtyRlcupjcioIBaxu6ZEalb4Zb5hONRmHZy1Sm
	z0APSlB5WQFrKI+B9J+61IzZZDn5p06ZMTC8YM4LAzXme4C11gJfZirxHh6A8mby8gRy
	9WtQ00Yp2WOquiXI3VgvC1E5RtS24hpWC7SmfC3XnkcrJuRgAuVOi/VqUsa2uebc5OQg
	QYQw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to; bh=CT2698BXZEkbAXha/MsclHNdldHHVoSsXoiRVVRhxfg=;
	b=SBXTG/xJxPhI5UCtXdd5fhpjBTP+zGsUzpLB1eD5iZz4hhMFnxupF/uli9wP7p6z5h
	CZSutv1n27epvVq7dQqIGVENBbt6IRS03JAw7BkLaTEMK0x17Z7mirNPLJ6/XT+upy2T
	Mbl2g+SO6ZQI1O/aJsFmxDVVjJZBOs9/EiFdI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
	:date:message-id:subject:to;
	bh=CT2698BXZEkbAXha/MsclHNdldHHVoSsXoiRVVRhxfg=;
	b=AHBfWmeW1VLsvxAbqh24944yo7XCY0N2Qezp/nUcDhgHAuoSC+/Ib7uvxfcj0CRJHt
	L9Lz71q3QWX8poxaj3ZS6cezona58SrpsbSbQfwAdBltwqALVjxZUixEk3Dsff4Fj8fh
	o17O/nIKKmg0LbSgdFhFFHSLtTJgqiiIMu9JpFZAnqkcnFNpk1WPnDDAeBnLrHi0j89Q
	ej2wBP7oJTbJR+WNJxP6Xz/Oqm5SiFLHEwLr0XUonRK8/2YmiW0oyac8HyLxf/0NcfjK
	yXFrpCMJiYupQ8DKo/RVKoxjrc80ldlz2gQNoz+zTxvnW0jbm25Tjv0VZrki5agFBtS1
	N+wg==
X-Gm-Message-State: 
 AE9vXwPczkSnshqSdljEgCJM2MXjntlPWBNU65rGLGloquEeISmqEzcPKZ2FynSXTRouCBcmdDRqwKjszqyJBeIx
X-Received: by 10.36.77.85 with SMTP id l82mr10063858itb.77.1473284329293;
	Wed, 07 Sep 2016 14:38:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.200.65 with HTTP; Wed, 7 Sep 2016 14:38:48 -0700 (PDT)
In-Reply-To: 
 <CAP5JBsSRDW15EB28FRHST_r-orF3M6yT0K02mXWV=o5CQab0tQ@mail.gmail.com>
References: 
 <CAP5JBsSRDW15EB28FRHST_r-orF3M6yT0K02mXWV=o5CQab0tQ@mail.gmail.com>
From: Sergey Volk <servolk@chromium.org>
Date: Wed, 7 Sep 2016 14:38:48 -0700
X-Google-Sender-Auth: 31fmaCjaoQanTkS7PIzYjYOkWMg
Message-ID: 
 <CAP5JBsRkephKJL7KKsAdqnEB0-oyjiF2MB0sEg012T1MdvC7qA@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: Re: [FFmpeg-devel] [PATCH] Fix potential integer overflow in
	mov_read_keys
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

I just realized that count+1 itself might overflow if count==UINT_MAX, so I
guess it's better to subtract 1 from the right-hand side. Attached updated
patch.

On Wed, Sep 7, 2016 at 2:21 PM, Sergey Volk <servolk@chromium.org> wrote:

> Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
> we need to check that (count + 1) won't cause overflow.
>
>

From 87a7a2e202ebb63362715054773a89ce1fc71743 Mon Sep 17 00:00:00 2001
From: Sergey Volk <servolk@google.com>
Date: Wed, 7 Sep 2016 14:05:35 -0700
Subject: [PATCH] Fix potential integer overflow in mov_read_keys

Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f499906..a7595c5 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3278,7 +3278,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     avio_skip(pb, 4);
     count = avio_rb32(pb);
-    if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+    if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
         av_log(c->fc, AV_LOG_ERROR,
                "The 'keys' atom with the invalid key count: %d\n", count);
         return AVERROR_INVALIDDATA;
-- 
2.8.0.rc3.226.g39d4020