From patchwork Mon Jul 31 23:42:20 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dale Curtis <dalecurtis@chromium.org>
X-Patchwork-Id: 4557
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.85 with SMTP id 82csp2980964vsb;
	Mon, 31 Jul 2017 16:48:58 -0700 (PDT)
X-Received: by 10.28.212.10 with SMTP id l10mr24896wmg.40.1501544938917;
	Mon, 31 Jul 2017 16:48:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1501544938; cv=none;
	d=google.com; s=arc-20160816;
	b=wAfNFueGwVs19P2S8U1AKiRXhHHRQ9bd4lpL1nA1VPpaeLs2q7sg0jov3dOMLjMJPV
	RzfaHfq1kn+ZcXWXC8sRkoq48c/aax61F/IJf5hBo/RXr8Q8Zp3WborTETIv3WMRtpGU
	LNmrDaLVOhHDcZqDTSlPpzTQC8DZ7ObbFa+kRujCZ4J0p/LtT5tmvtePAlOhancK0wO9
	oXYwcnyNc5FFx82731K0ZMHdOSCwIvEF4OFNqOUjxFrlYITm2HjndY5k1L91iZjMpkrA
	LE1cv5El72y3qx5bqLdUh5xleNJf6FpZxRruoz0wHVjNxGpeYrQzKW6ggIs/JLXA3osb
	9ncw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:reply-to:list-subscribe:list-help:list-post
	:list-archive:list-unsubscribe:list-id:precedence:subject:to
	:message-id:date:from:references:in-reply-to:mime-version
	:dkim-signature:dkim-signature:delivered-to
	:arc-authentication-results;
	bh=P2MIK/E23TtiOrtvDLr1Gbr3JpoWOw7lcwX4MSV2A8U=;
	b=MSfMkfKRY9G99I0v9VEY7g5M0X9a84lYyPxBCZNTk5snRSSWYeiei3vz9ulQDtHkl7
	+yMdGGhu9G+HKqBvMLRH64U6NbzfpKRu+lWMDM6O75TNJmf2XaRFD55F3R+kFm+rUcLx
	bTe1p8L7/lHRdktN3lXgLuSr8zBvAeOF2nbppyVl0vpmS9uX7i3pwodsV9q5SYLwuKl2
	M4CTjF3CTxBoiho3ITESnNoWNRlRh7ZdhrmBxmBLdzh7d71gDOYI5OYbjZ1Qzr+vmz3M
	ZZ8cGAE3EZBujxBxCnHMQGcCXpmeV5oD0kHsr6/anIJY0eoWBd5HvweI0o4yEoDDEzt5
	FcuA==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com
	header.b=kYNjPOPb;
	dkim=neutral (body hash did not verify) header.i=@chromium.org
	header.b=mDZgxOVa;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id r76si12041wmb.234.2017.07.31.16.48.58;
	Mon, 31 Jul 2017 16:48:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com
	header.b=kYNjPOPb;
	dkim=neutral (body hash did not verify) header.i=@chromium.org
	header.b=mDZgxOVa;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5D671689F17;
	Tue,  1 Aug 2017 02:48:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-yw0-f174.google.com (mail-yw0-f174.google.com
	[209.85.161.174])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1A9AB689F17
	for <ffmpeg-devel@ffmpeg.org>; Tue,  1 Aug 2017 02:48:46 +0300 (EEST)
Received: by mail-yw0-f174.google.com with SMTP id u207so440955ywc.3
	for <ffmpeg-devel@ffmpeg.org>; Mon, 31 Jul 2017 16:48:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20161025;
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to; bh=abWlxG37gijNgtvvxvaL/znAlD7HSNYajDRtSqfc4jM=;
	b=kYNjPOPbhXsOHxSUVuTRBlGe3LH0IFK/0A+tEN2Y08iwLstGJF5+dG2NlaOMZe6bk3
	khTRT3GqHCkpBDOCCOfOl1coBA9FcEymxVp8L8IFeu30LOs1XTVdmqIMv/2PZxe6EuqZ
	qD6FJiR4/V+zuUBlJMly3USWZKFlm1s38tigh+OpQq/P5qiSnjcZd1HycScCWaRB1hUw
	P+K9Zojk0QzlPmfBEd+qh7iFwhIKEsa7C7MVU/YxOkxrc/bL0F6AksQAtiKZTosf0Njr
	mtZtKbLUUVUzPGsfRfUh7hzdMY+xT4kmI/eRi9uL5OblI52j/D8wOx8cTIXquFfImUBs
	iacw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=mime-version:sender:in-reply-to:references:from:date:message-id
	:subject:to; bh=abWlxG37gijNgtvvxvaL/znAlD7HSNYajDRtSqfc4jM=;
	b=mDZgxOVaISTmDJKIadNZdDSrVjvBKjHF39A/35kcJsUOQThRFIZV1UZLG0ffW/Hos3
	EDef86Ve+urbQPYbb+LRd2Rh15zBjE3YBvigQqveVNWGyVUii7Fr6rDKAlDVaCYyfm6U
	x4MEoAyk22dhFRoIvGcP1D5aJndQi+pWPqlzk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
	:date:message-id:subject:to;
	bh=abWlxG37gijNgtvvxvaL/znAlD7HSNYajDRtSqfc4jM=;
	b=RPQuAn98WJ8Jxl2o2d4YSMFBcWCg5bQzA2Z9Q4nQOr0pAvjg2UslkgUzvF0Xs5nkSA
	Gr8nA+1ipdxTVKyH41HlI7QeMgyKuGXM2MazZ+IU2WYMCXMWWilUheYYP9IZrHZEV9BJ
	34EylpjLJwbq0+RNJewJGl+wtHT8hqOQo5NHRjT+GnoiBhRspZd7cSIVPyz25os16IyK
	Ogs3KNWUXByeRXToEQboAveD1xdVIIeTIJFfVa7KskuMNr6YmlACgbc4lV/k4rtcYP20
	m5QS/Hj691FT6mig0aybiZHUFWwRWxOpecgadNlWU8mUM+TjUx+fDWW3w7xF6zzi+oHs
	0+xQ==
X-Gm-Message-State: AIVw110QMxdEqyKkaaAminJroNofjpGANOSpKURRuN2le5HyLnNzFDnL
	XKvrpxHSpIHfRB5XQPIM2yqUFAdZTVL44rg=
X-Received: by 10.129.121.86 with SMTP id u83mr16324566ywc.397.1501544561264;
	Mon, 31 Jul 2017 16:42:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.217.137 with HTTP; Mon, 31 Jul 2017 16:42:20 -0700 (PDT)
In-Reply-To: 
 <CAPUDrwcVKR0VEfX9pG=o0f8NUx9-OFamPsWAPdrMxajvQBs2jw@mail.gmail.com>
References: 
 <CAPUDrwcVKR0VEfX9pG=o0f8NUx9-OFamPsWAPdrMxajvQBs2jw@mail.gmail.com>
From: Dale Curtis <dalecurtis@chromium.org>
Date: Mon, 31 Jul 2017 16:42:20 -0700
X-Google-Sender-Auth: sOAvvk0adBR1dGE81qw7dP6lGZ8
Message-ID: 
 <CAPUDrwfcFOfOyrD3XQuW929iyLHSe8A=EO_5r=jaAPH7XSrkTw@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: Re: [FFmpeg-devel] [mov] Bail when invalid sample data is present.
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

I'm not convinced my original patch catches all cases. So here's an updated
one which explicitly verifies the contract.

- dale

On Mon, Jul 31, 2017 at 2:40 PM, Dale Curtis <dalecurtis@chromium.org>
wrote:

> [mov] Bail when invalid sample data is present.
>
> ctts data in ffmpeg relies on the index entries array to be 1:1
> with samples... yet sc->sample_count can be read directly from
> the 'stsz' box and index entries are only generated if a chunk
> count has been read from 'stco' box.
>
> Ensure that if sc->sample_count > 0, sc->chunk_count is too.
>
> This should be applied on top of the ctts fixes in my previous patch.
>
>

From 51571dd294350f2ef367fd9391ed4c1e94387947 Mon Sep 17 00:00:00 2001
From: Dale Curtis <dalecurtis@chromium.org>
Date: Mon, 31 Jul 2017 13:44:22 -0700
Subject: [PATCH] [mov] Bail when invalid sample data is present.

ctts data in ffmpeg relies on the index entries array to be 1:1
with samples... yet sc->sample_count can be read directly from
the 'stsz' box and index entries are only generated if a chunk
count has been read from 'stco' box.

Ensure that if sc->sample_count > 0, sc->chunk_count is too as
a basic sanity check. Additionally we need to check that after
the index is built we have the right number of entries, so we
also check in mov_read_trun() that sc->sample_count ==
st->nb_index_entries.
---
 libavformat/mov.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 13b5e454d8..6edb898b3e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3752,8 +3752,9 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     c->trak_index = -1;
 
     /* sanity checks */
-    if (sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
-                            (!sc->sample_size && !sc->sample_count))) {
+    if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
+                            (!sc->sample_size && !sc->sample_count))) ||
+        (!sc->chunk_count && sc->sample_count)) {
         av_log(c->fc, AV_LOG_ERROR, "stream %d, missing mandatory atoms, broken header\n",
                st->index);
         return 0;
@@ -4288,6 +4289,9 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
      *  3) in the subsequent movie fragments, there are samples with composition time offset. */
     if (!sc->ctts_count && sc->sample_count)
     {
+        /* ctts relies on being 1:1 with sample entries. */
+        if (sc->sample_count != st->nb_index_entries)
+            return AVERROR_INVALIDDATA;
         /* Complement ctts table if moov atom doesn't have ctts atom. */
         ctts_data = av_fast_realloc(NULL, &sc->ctts_allocated_size, sizeof(*sc->ctts_data) * sc->sample_count);
         if (!ctts_data)
-- 
2.14.0.rc0.400.g1c36432dff-goog