From patchwork Thu Sep 30 02:58:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Soft Works X-Patchwork-Id: 30675 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:6506:0:0:0:0:0 with SMTP id z6csp213341iob; Wed, 29 Sep 2021 19:58:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz4snYlrMlKOXkSC3RNhL1pn7bz7ZO2jpfoKZzqtLb/6Sl+2Bwfjlq67W8bhuf/oF0WLL42 X-Received: by 2002:a17:906:1749:: with SMTP id d9mr3786180eje.178.1632970712267; Wed, 29 Sep 2021 19:58:32 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id g17si2456554ejm.399.2021.09.29.19.58.32; Wed, 29 Sep 2021 19:58:32 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@hotmail.com header.s=selector1 header.b=Bu2wBL0U; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2A2F068A75A; Thu, 30 Sep 2021 05:58:28 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam08olkn2089.outbound.protection.outlook.com [40.92.46.89]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0E1836898E9 for ; Thu, 30 Sep 2021 05:58:22 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HDgWYxFMgGhyRNfGkbzXT3y3VkwTUeq0pJfJFoo/T4goV+RKpVysj4c8Q/2C3+M0IrAeoUMHJOD0eOl1ZRV8kX3mTQSn8FAW8vJA3d4PaayZW57dWNyjUSsR/G607kakWu7daYqPIOhcN5rlvphjux4+nu1MDX6m84CPNr11tlFSd0zdAJK8fvZfRa0wn8myxlPwjj8R1SnJCPBorEqK3AdpH9k7oV1mZU1TCDxwSuP3bw63r8IylLkBtuaPc1DERmxiQIK2RpPB9arR5F6eI8173783TGvhI8uNEfD8yAC78bslSJvGdwfUHqag44RtvbEOgv1ou5mRrlCazUVjbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=P2QmbVaAe8gSLzKawlJ65q3MUm4OmB8sHHMmPvuFs7k=; b=K1zx9V3VSaJYp3uQqChYUwAJdbK+vYhoT/t8+GIySxq4nqA+rblkkS/Eoare2e67vit0MzihRllklkXp8RdFlE4lwRv/FwfP+zGCdYuZQA2nRdPGGhXxlS9PXWRRpFyLwPulFKhe28mExxHmfKLPpIkPI+GrAqHe3wVFDMnGbVSuEhDVxjA5VCYUFs/jRcveIjrikzVOSw8T1TrzhGX+CDvosyX619Ovf/1GadQp8TKRDLBsyjAjofr3VIjEs0PfUtkFVQ56YuYeVcimCuIuveVPANf1guv0jaxDNt80bnDFcKvxhdLXMSNp4Ij6vK70CsyR7SPRa5ZjEtBIxUCUXA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P2QmbVaAe8gSLzKawlJ65q3MUm4OmB8sHHMmPvuFs7k=; b=Bu2wBL0U5TCAG76mQBDlDeb4d8NpLT+0ahxcoaC/JPzY5N6MNxPAjuRH02IR5/QIWH87/R+Nj0B9bnP/5HR5CuXclTiN7GSITFr7YjviAKCny4z7Gyyx4M3+lZMMW7WPNLPMG+RoHQaBblcdFZjEDbyzu49fQcPhTY+Xkiooccw5DQZlIpFTbJzA65DA5PnI6lIv7YRZ9rgNYSJ5h+JYQdCga/EkeKrM+nOGq67r8jMJoxQMdu7tGlJ/cgE1N2y72e+2tv5j8YOgE2VEuaUVoV/GiIYiXZ3tKQNWLKQHoD1ygxPOPp5jRWjokg7A1SnSeOirH+tURzfcOJvrX0Bqhw== Received: from MN2PR04MB5981.namprd04.prod.outlook.com (2603:10b6:208:da::10) by MN2PR04MB5503.namprd04.prod.outlook.com (2603:10b6:208:e4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13; Thu, 30 Sep 2021 02:58:19 +0000 Received: from MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb]) by MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb%5]) with mapi id 15.20.4544.022; Thu, 30 Sep 2021 02:58:19 +0000 From: Soft Works To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH v5 1/7] libavformat/asf: Fix handling of byte array length values Thread-Index: AQHW3182NV6DtzZol81jv7QhtOX+5wLEOKrZ Date: Thu, 30 Sep 2021 02:58:19 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [lAxumcc8FoUbo4K7XWiPIk/xDAmt8IaA] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 71b0e107-e095-4a7e-56f1-08d983be2844 x-ms-traffictypediagnostic: MN2PR04MB5503: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: qE7ozI7nbUdGO0SRNvAiYvRZhk1pVkFIVcIBjIQIo4rVTipuUojfIXzV57aFc3rrY/3J+DMJDlGhL+lcydci3w2BfpqoV2AgJOBLmJ2UfbSzP19+YdnScCOsjRpwjD5GLthn1dQ0P2LOV7JbQjk2vArqKvxzLOCufnKWgtDWBsp7KhnZGeq4nP2/k02PxScn/CnFiZm2KQa/+dilJjOe7NrP17WziWCQJErwqCplLbq1Xx09wYDZhw0cg6t2FUz4/1vad1pMbvs6RKzludVsI7Yuj0RngigvKznDy/sDdzdpAibPUZGTG+C9vXJPdDpBHgThheh1xQJpaaC6tHkOF1QPUzCBlKnI91uqaL7w2ZjhmhL6MUgQdh95zd9PnrJm7gxNJqCqt7jx5A1CJjXrR7okSYWyNzWTRmsxyyyDjdZrWKOLWu8RONhEGLzR3SSj x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: kqTRxS8vkUpryMQexPptmCvv16Z63jqkAkRw9+FIxoqfJpbcP8ftEHupYOff0nKDXJZI/UYqwhEhajNWXRInnmXfLInyphqCLnuX/4Y6f3DNoYs8zBsLkAOwJJzOn1ACD5FRVhf+NFPRyMyG0wl9iA== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-3174-20-msonline-outlook-529c7.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN2PR04MB5981.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 71b0e107-e095-4a7e-56f1-08d983be2844 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Sep 2021 02:58:19.1958 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR04MB5503 Subject: [FFmpeg-devel] [PATCH v5 1/7] libavformat/asf: Fix handling of byte array length values X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: E7ej1jtBgEPs The spec allows attachment sizes of up to UINT32_MAX while we can handle only sizes up to INT32_MAX (in downstream code). The debug.assert in get_tag didn't really address this, and truncating the value_len in calling methods cannot be used because the length value is required in order to continue parsing. This adds a check with log message in ff_asf_handle_byte_array to handle those (rare) cases. Signed-off-by: softworkz --- v5: Split into pieces as requested libavformat/asf.c | 12 +++++++++--- libavformat/asf.h | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/asf.c b/libavformat/asf.c index 1ac8b5f078..179b66a2b4 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len) } int ff_asf_handle_byte_array(AVFormatContext *s, const char *name, - int val_len) + uint32_t val_len) { + if (val_len > INT32_MAX) { + av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name); + return 1; + } + if (!strcmp(name, "WM/Picture")) // handle cover art - return asf_read_picture(s, val_len); + return asf_read_picture(s, (int)val_len); else if (!strcmp(name, "ID3")) // handle ID3 tag - return get_id3_tag(s, val_len); + return get_id3_tag(s, (int)val_len); + av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name); return 1; } diff --git a/libavformat/asf.h b/libavformat/asf.h index 01cc4f7a46..4d28560f56 100644 --- a/libavformat/asf.h +++ b/libavformat/asf.h @@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[]; * is unsupported by this function and 0 otherwise. */ int ff_asf_handle_byte_array(AVFormatContext *s, const char *name, - int val_len); + uint32_t val_len); #define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000