From patchwork Wed Oct 6 06:00:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Soft Works X-Patchwork-Id: 30922 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:6506:0:0:0:0:0 with SMTP id z6csp54895iob; Tue, 5 Oct 2021 23:01:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwL9l+n3G1tYduAi517X21ICWejKaLb6rKrBy6BBEVVKsYDq9AqvWWWNm1/qrX/jYLXerkU X-Received: by 2002:a05:6402:518d:: with SMTP id q13mr32092071edd.143.1633500095495; Tue, 05 Oct 2021 23:01:35 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id l15si35556354ejo.264.2021.10.05.23.01.35; Tue, 05 Oct 2021 23:01:35 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@hotmail.com header.s=selector1 header.b=gH+eexkA; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B70C468AA67; Wed, 6 Oct 2021 09:01:09 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2084.outbound.protection.outlook.com [40.92.19.84]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B768268A8DC for ; Wed, 6 Oct 2021 09:01:03 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FRrI8Cq1YOeHiW19WIYDMVSJlC/s3TzZSkKfpS7yU1d3hv9pejLfJBW+LzUWc1fLDrAPEHZtviQs2b2DuflrU7adWMB/8qZaImOtZ62O+is3xT/Q131bBzgoPeIGgFEgXTK1WuxQ/Ag/QB8oeC1KSYriS0Q5a+DQj7GxPCLiPc7KPjCSl1qblIZscj1t42fRGNYjcSD85dtiVp2Nf7AUzs6QLiqTKFz0AvM9ynJ3r1iS6mSkVxc0Um2I8rRv83vmzzCNxsPwM+HBJmCl/jWDdTlIv+f/fDBHDQns94Ay0yzfjafIBIyhh+c83v/gLrmrpAHyJQzfzKMB5gIhNOrmpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8kPkMQntXNT0PISGQgRT8PKpQuCUQ3b2VRvto/x2KDg=; b=WehKYoxMudf/2zG6pl8vQ5gBDJAqADH/zxCMbaBFN9HEcwoDezcs7UxKc50XxoEqPkA+ppDphWMz0ikZ11spUcXVBib1365GCP6fAEAzw1CIOFmg3727+2VGsww2LTqpsVFN36U1ix/3KVJ/09weClVrGzd5QCU4cCXgvZJbapvyc3Vc7VLBXH3Y27/VMLx2UUMBKT9Nh8Aq/LTbh24P48FO6G54hFR3S7Sf5XzlPMeExrr463A/k01vqDQ8uAsOsJEx6B0emQ1ceQiJWrHG9SnUHtVraKVCo8W6jQ+wrqKb3EmSZ8JZlg+YrfDYUOtm7gzP/wc48hAHhR5OPAaWJw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8kPkMQntXNT0PISGQgRT8PKpQuCUQ3b2VRvto/x2KDg=; b=gH+eexkAZiyAkdTrLKpFo89q3JGJG8/5h8zKSsdiFvKdYybtR/ufRifqbkV1jhbp1GPXqkmMgJj7kd+A+12cGyBY9/lEmvXwsr2CZDokpSTT6+G1M8hLGHYdlhbVnI0vx86BUrrUqDymrtfPWX8umde0j1t3T5eRw2ALGuU3kaFpi8R+DRwRUwQvTFo5Um8E0I55vlrC4dw7xVrcvEpFm/k84K1HP639d1nOLen1ZF1kNqatNuHePfccUSz0TvY+PNUZDJ2pWw7qc8fuWiG6MFOMxw/QeJLxAtvt4S1cBtVi1PFrUxYQU5K0clcc4ikhZ9j4tefV7o3FUE1MJaJKIg== Received: from MN2PR04MB5981.namprd04.prod.outlook.com (2603:10b6:208:da::10) by MN2PR04MB6253.namprd04.prod.outlook.com (2603:10b6:208:d9::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.13; Wed, 6 Oct 2021 06:00:54 +0000 Received: from MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb]) by MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb%5]) with mapi id 15.20.4566.022; Wed, 6 Oct 2021 06:00:54 +0000 From: Soft Works To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH v6 03/11] libavformat/asfdec: Fix type of value_len Thread-Index: AQHXuneF7oZqfqYBNEqQmFzTAPeCbw== Date: Wed, 6 Oct 2021 06:00:54 +0000 Message-ID: References: <04c4183da3bb06cba3013b35c928876c5c8959f6.1633499980.git.softworkz@hotmail.com> <7e6f65bafd8a5d426f72aaddb1766040255f1d9d.1633499980.git.softworkz@hotmail.com> In-Reply-To: <7e6f65bafd8a5d426f72aaddb1766040255f1d9d.1633499980.git.softworkz@hotmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [SCkpuVSk7gkvCEBGFLqBD8wfx48UcE+t] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0ce91482-5fdb-4955-6422-08d9888ea881 x-ms-traffictypediagnostic: MN2PR04MB6253: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: kN30xQye/oIb6OaOXfjnQ6k2sDNZgqt9pAit2GLV01IXaNAJhkp6w2vd12G5ZVp4nT4bCMtmnv+VZpW6KdFrpIY1e8tv01Yc6T7oy6WnGqUHrvnDcPc9nBruh3IKa0dZfdmqvX/gITalxjYVTYlcv1QleP1z1Vjyc/tF3vJW5uAAry5e7Br6HS1wwVwm8Aqi/10f2uJtFLqOd7RLjMvge0IBzPpLVh9xwS5BJ4rFpUZ6NTKydTIRMbKYRids2yxY3/s26wm8N7J2wIikG0z0xBY8C6Brw1tO+D2DYqWcxGYDgcO2MxdVr6BL5M0lEP2ZX7wXanCpqaIxwt5i0ccMz4uhjbxBU5c4i/HI3xG614lVG+4b6P92BhZPZm/X05HmkvAp/wr0/xKmDsYyd3qjqS8rOJmxa2urmdjSfkfRRu9osx6GmO2tWh/PWG696Am1 x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: 23v1xIP7Di5tZkioBkjkJoqihBSqulFErHwRQEWqWqhL04O5SVbqK56xNHfaEeTDstUupeI7Ih8/SayHXNpShJunfp2QvzE1PB6NKNYd46s6nz735+0H54A6apQc32CBxgDChFnvZHKYW0sZ28kKIA== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-3174-20-msonline-outlook-529c7.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN2PR04MB5981.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 0ce91482-5fdb-4955-6422-08d9888ea881 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2021 06:00:54.2691 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR04MB6253 Subject: [FFmpeg-devel] [PATCH v6 03/11] libavformat/asfdec: Fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: jknZibjCBzg0 The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index d31e1d581d..29b429fee9 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) static int asf_read_content_desc(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -614,25 +614,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM);