From patchwork Wed Oct 6 06:01:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Soft Works X-Patchwork-Id: 30920 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:6506:0:0:0:0:0 with SMTP id z6csp56329iob; Tue, 5 Oct 2021 23:03:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3f1goR40xBhNj9EAI/sERfUH4hsmN/1sQT1s/tK9OReLfFY7W9TJA1v6tJ3SAofGLa/Rr X-Received: by 2002:a50:ccc4:: with SMTP id b4mr32177018edj.83.1633500207662; Tue, 05 Oct 2021 23:03:27 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id l1si23879612ejz.748.2021.10.05.23.03.27; Tue, 05 Oct 2021 23:03:27 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@hotmail.com header.s=selector1 header.b=nHjELz7p; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BAF3968094F; Wed, 6 Oct 2021 09:01:26 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2073.outbound.protection.outlook.com [40.92.19.73]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3555268AB32 for ; Wed, 6 Oct 2021 09:01:23 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jcx1O4oD1nfC7f9h7A/HdN/bErIIOeL6mTxjmHnqJ5umqoHt2Nkv3nh4K5/LB2e+O3Q7YEQ1eh/k55oXzCZM6iCSW0e395HqKwB1QFPFxtsrd4Vt/ihR5w2idaLkY7Yy5FG5toAOtRKUk07X6jH+ftorIHiIlKIPE3YTdt5zCc9kjHl4bhonVuRdr8vNUqNp1rpCwjmv83kqwarshRt7atGQfXJbQEFcD6WooumlX/p1MsCZ48mdmFJsGqcPEBi8ThBUB+Q2Qi8faOS+RIhQUiHSnEBNC9RmDmZy1uUc/866B24H936Dg7Fm+as7LgPlNNTnb8lrpbabl05FIGkBdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=881hHkc1YWUkvJ8RGDewUYj3N2HPdwshZ57tE0A7OXc=; b=ey54Q4AZ36bcQrnZp8RNu4s2/ScMLXAsg38GySlO2Bat4iRMgo2ZyIoFhxET1N1KDQev2VJ3wmPYofio4WIRZpH12IhSya/dUDKSW2Ja0AvxoXMsfKQZ9Az6Wpu0ozJibGhLAQTJPuYjkRiFS1NcNLKl9h9BKWjwdIveP6YQfawfe/fWR+/47aMMJOfWQsDsQuX4/VsRH97MSjeXd5TQf9WMz3KnLr7YbogBVjtM9G3nnxNAsxAhr1Sta9HAyRT1euHvDllHtEHUTCAw0ZCkcGWKJ6TTN/3CqAcsO/PX0pFb5kzT1hWU4PNngb3XTW5VQFvlSUfuCkHZby7xR161gA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=881hHkc1YWUkvJ8RGDewUYj3N2HPdwshZ57tE0A7OXc=; b=nHjELz7pzFKT62nusVqnXWxg7eSfGLxbzM8cZXanAlbPf3mMIy+46GTY4DGaCR+lPXIRlvOkIV0xxXd+N/RJsQfkOmFh1GnMWRTVEe1TwBvQL/h6FGFaEQNpXqXklQ14pKgWKT5pq5Lo/VYq3EiPnne4n5xeNKfiwTje0UrnFcI4qxXCTExnhC2x97+ymwMr6beMrZWm5Zu1XRH4a7Bdg8aioADtxv4x9UspaCAPAbyeMd7BAcoZgB4aoRHLjfop5aqG9slbFcngmMfc6uVCTFp9brJmUwIAGszf5aDaJHoC4XasAF33pslalANdp2+6ZHgRxLte7qJFf522tLMyng== Received: from MN2PR04MB5981.namprd04.prod.outlook.com (2603:10b6:208:da::10) by MN2PR04MB6253.namprd04.prod.outlook.com (2603:10b6:208:d9::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.13; Wed, 6 Oct 2021 06:01:21 +0000 Received: from MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb]) by MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb%5]) with mapi id 15.20.4566.022; Wed, 6 Oct 2021 06:01:21 +0000 From: Soft Works To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH v6 11/11] libavformat/asfdec: Fix variable types and add checks for unsupported values Thread-Index: AQHXuneWHJmwjETu5k6hOsZhpi4y6A== Date: Wed, 6 Oct 2021 06:01:21 +0000 Message-ID: References: <04c4183da3bb06cba3013b35c928876c5c8959f6.1633499980.git.softworkz@hotmail.com> <7e6f65bafd8a5d426f72aaddb1766040255f1d9d.1633499980.git.softworkz@hotmail.com> <9f1f7004020091a995b54d8752172b9e429aed53.1633499980.git.softworkz@hotmail.com> <1f9e954eaf80cbf2666e9011ff5c18ddaef9b270.1633499980.git.softworkz@hotmail.com> <67a3ef814a8956660209ea96afdc4b6b0727e094.1633499980.git.softworkz@hotmail.com> <6dd6ec1943ecaee3ba0712b5e3ce193e3f0702f9.1633499980.git.softworkz@hotmail.com> <84ad876e8f0f19696962f6d3660c7d3297324dab.1633499980.git.softworkz@hotmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [eoTKS05XFJGgedq9nNSdSts8uBTpLDVS] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: c21ff6b6-e9f3-4a5b-3677-08d9888eb8c6 x-ms-traffictypediagnostic: MN2PR04MB6253: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: +rkdtspZCfm6DH7cNccyQpzARACeySlmUgUkEcpreUrYvNVrYEiXPf+oAj3IytrvOlwUQcG6kzW7m/v/5AmiKnehRm1m2vFaq2dkU4OxZFhWhheMZItg1FG4PpScKDfTk4WNzyzKj+KUk5yNZiNH28HXFW5mvnZgp3E/EDVxfQCiS0gdXl0p/Si/N3TPUbswmIDy2mkS+xgTcnGhPie9aonntKUNwHdGNuJBmu5Ktw8+ogFKWSTpus5qwo56Y7IFrUUhNl2IYQyGm6P4SsCL3uqiW8ZlA1eJ1RX/qSr4jMH+dpAigK4Oayq7qKDv2GZp2FUK4fKUFCKgRE6ghZDVPu4sJKna6LzAKyujZjFphc1gH2YaRh3BaNLutTFiSPVb5KWuUGKuU4/4bLRHaYcI/XB2m7oZRdDq4iRu+sZYtJ4nEHbIKfJAGtXwtH27Sm9j x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: HKZVXZwBSKB3PPiuvXBQUhOUZfe6DbnWO942mevKKTfh2vQFvN3gakXXpe3pZJeaLiM1DmQcCTUnQwHR1/e80XeD1VmCSWGHRrYuNt3kS1PPVnjmcWFEifgMXFwjEH7eJy1ohQ2LUwb2JuZzVclAbA== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-3174-20-msonline-outlook-529c7.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN2PR04MB5981.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: c21ff6b6-e9f3-4a5b-3677-08d9888eb8c6 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2021 06:01:21.6007 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR04MB6253 Subject: [FFmpeg-devel] [PATCH v6 11/11] libavformat/asfdec: Fix variable types and add checks for unsupported values X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 6CZYTGLqVRHt Signed-off-by: softworkz --- libavformat/asfdec_f.c | 168 ++++++++++++++++++++++++++--------------- 1 file changed, 108 insertions(+), 60 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index b8140a6d57..c7141f6da1 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -332,9 +332,9 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size) ASFStream *asf_st; ff_asf_guid g; enum AVMediaType type; - int type_specific_size, sizeX; - unsigned int tag1; - int64_t pos1, pos2, start_time; + unsigned int tag1, type_specific_size, sizeX; + int64_t pos1, pos2; + uint32_t start_time; int test_for_ext_stream_audio, is_dvr_ms_audio = 0; if (s->nb_streams == ASF_MAX_STREAMS) { @@ -403,7 +403,14 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size) st->codecpar->codec_type = type; if (type == AVMEDIA_TYPE_AUDIO) { - int ret = ff_get_wav_header(s, pb, st->codecpar, type_specific_size, 0); + int ret; + + if (type_specific_size > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported WAV header size (> INT32_MAX)\n"); + return AVERROR(ENOTSUP); + } + + ret = ff_get_wav_header(s, pb, st->codecpar, (int)type_specific_size, 0); if (ret < 0) return ret; if (is_dvr_ms_audio) { @@ -433,21 +440,32 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size) } } else if (type == AVMEDIA_TYPE_VIDEO && size - (avio_tell(pb) - pos1 + 24) >= 51) { + unsigned int width, height; avio_rl32(pb); avio_rl32(pb); avio_r8(pb); avio_rl16(pb); /* size */ - sizeX = avio_rl32(pb); /* size */ - st->codecpar->width = avio_rl32(pb); - st->codecpar->height = avio_rl32(pb); + sizeX = avio_rl32(pb); /* size */ + width = avio_rl32(pb); + height = avio_rl32(pb); + + if (width > INT32_MAX || height > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported video size %dx%d\n", width, height); + return AVERROR(ENOTSUP); + } + + st->codecpar->width = (int)width; + st->codecpar->height = (int)height; /* not available for asf */ avio_rl16(pb); /* panes */ st->codecpar->bits_per_coded_sample = avio_rl16(pb); /* depth */ tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { - if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) - return AVERROR_INVALIDDATA; + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_DEBUG, "Unsupported extradata size\n"); + return AVERROR(ENOTSUP); + } st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -499,9 +517,9 @@ static int asf_read_ext_stream_properties(AVFormatContext *s) ASFContext *asf = s->priv_data; AVIOContext *pb = s->pb; ff_asf_guid g; - int ext_len, payload_ext_ct, stream_ct, i; - uint32_t leak_rate, stream_num; - unsigned int stream_languageid_index; + uint16_t payload_ext_ct, stream_ct, i; + uint32_t leak_rate, ext_len; + uint16_t stream_languageid_index, stream_num; avio_rl64(pb); // starttime avio_rl64(pb); // endtime @@ -513,15 +531,15 @@ static int asf_read_ext_stream_properties(AVFormatContext *s) avio_rl32(pb); // alt-init-bucket-fullness avio_rl32(pb); // max-object-size avio_rl32(pb); // flags (reliable,seekable,no_cleanpoints?,resend-live-cleanpoints, rest of bits reserved) - stream_num = avio_rl16(pb); // stream-num + stream_num = (uint16_t)avio_rl16(pb); // stream-num - stream_languageid_index = avio_rl16(pb); // stream-language-id-index + stream_languageid_index = (uint16_t)avio_rl16(pb); // stream-language-id-index if (stream_num < 128) asf->streams[stream_num].stream_language_index = stream_languageid_index; avio_rl64(pb); // avg frametime in 100ns units - stream_ct = avio_rl16(pb); // stream-name-count - payload_ext_ct = avio_rl16(pb); // payload-extension-system-count + stream_ct = (uint16_t)avio_rl16(pb); // stream-name-count + payload_ext_ct = (uint16_t)avio_rl16(pb); // payload-extension-system-count if (stream_num < 128) { asf->stream_bitrates[stream_num] = leak_rate; @@ -535,12 +553,10 @@ static int asf_read_ext_stream_properties(AVFormatContext *s) } for (i = 0; i < payload_ext_ct; i++) { - int size; + uint16_t size; ff_get_guid(pb, &g); - size = avio_rl16(pb); + size = (uint16_t)avio_rl16(pb); ext_len = avio_rl32(pb); - if (ext_len < 0) - return AVERROR_INVALIDDATA; avio_skip(pb, ext_len); if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) { ASFPayload *p = &asf->streams[stream_num].payload[i]; @@ -577,20 +593,21 @@ static int asf_read_ext_content_desc(AVFormatContext *s) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int desc_count, i, ret; + uint16_t desc_count, i; + int ret; - desc_count = avio_rl16(pb); + desc_count = (uint16_t)avio_rl16(pb); for (i = 0; i < desc_count; i++) { - int name_len, value_type, value_len; + uint16_t name_len, value_type, value_len; char name[1024]; - name_len = avio_rl16(pb); + name_len = (uint16_t)avio_rl16(pb); if (name_len % 2) // must be even, broken lavf versions wrote len-1 name_len += 1; if ((ret = avio_get_str16le(pb, name_len, name, sizeof(name))) < name_len) avio_skip(pb, name_len - ret); - value_type = avio_rl16(pb); - value_len = avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); + value_len = (uint16_t)avio_rl16(pb); if (!value_type && value_len % 2) value_len += 1; /* My sample has that stream set to 0 maybe that mean the container. @@ -623,14 +640,16 @@ static int asf_read_language_list(AVFormatContext *s) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int j, ret; - int stream_count = avio_rl16(pb); + int ret; + uint16_t j; + const uint16_t stream_count = (uint16_t)avio_rl16(pb); + for (j = 0; j < stream_count; j++) { char lang[6]; - unsigned int lang_len = avio_r8(pb); + const uint8_t lang_len = (uint8_t)avio_r8(pb); if ((ret = avio_get_str16le(pb, lang_len, lang, sizeof(lang))) < lang_len) - avio_skip(pb, lang_len - ret); + avio_skip(pb, (int)lang_len - ret); if (j < 128) av_strlcpy(asf->stream_languages[j], lang, sizeof(*asf->stream_languages)); @@ -643,14 +662,14 @@ static int asf_read_metadata(AVFormatContext *s) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int n, name_len_utf8; - uint16_t stream_num, name_len_utf16, value_type; + int name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type, i, n; uint32_t value_len; - int ret, i; - n = avio_rl16(pb); + int ret; + n = (uint16_t)avio_rl16(pb); for (i = 0; i < n; i++) { - uint8_t *name; + char *name; avio_rl16(pb); // lang_list_index stream_num = (uint16_t)avio_rl16(pb); @@ -664,7 +683,7 @@ static int asf_read_metadata(AVFormatContext *s) return AVERROR(ENOMEM); if ((ret = avio_get_str16le(pb, name_len_utf16, name, name_len_utf8)) < name_len_utf16) - avio_skip(pb, name_len_utf16 - ret); + avio_skip(pb, (int)name_len_utf16 - ret); av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n", i, stream_num, name_len_utf16, value_type, value_len, name); @@ -697,19 +716,21 @@ static int asf_read_marker(AVFormatContext *s) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int i, count, name_len, ret; + int ret; + unsigned count, i; + uint16_t name_len; char name[1024]; avio_rl64(pb); // reserved 16 bytes avio_rl64(pb); // ... count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes - name_len = avio_rl16(pb); // name length + name_len = (uint16_t)avio_rl16(pb); // name length avio_skip(pb, name_len); for (i = 0; i < count; i++) { - int64_t pres_time; - int name_len; + uint64_t pres_time; + unsigned name2_len; if (avio_feof(pb)) return AVERROR_INVALIDDATA; @@ -720,13 +741,18 @@ static int asf_read_marker(AVFormatContext *s) avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags - name_len = avio_rl32(pb); // name length - if ((unsigned)name_len > INT_MAX / 2) + name2_len = avio_rl32(pb); // name length + if (name2_len > INT_MAX / 2) return AVERROR_INVALIDDATA; - if ((ret = avio_get_str16le(pb, name_len * 2, name, - sizeof(name))) < name_len) - avio_skip(pb, name_len - ret); - avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, pres_time, + if ((ret = avio_get_str16le(pb, (int)name2_len, name, + sizeof(name))) < name2_len) + avio_skip(pb, name2_len - ret); + + if (pres_time > INT64_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported presentation time value: %"PRIu64"\n", pres_time); + return AVERROR(ENOTSUP); + } + avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, (int64_t)pres_time, AV_NOPTS_VALUE, name); } @@ -739,7 +765,7 @@ static int asf_read_header(AVFormatContext *s) ff_asf_guid g; AVIOContext *pb = s->pb; int i; - int64_t gsize; + uint64_t gsize; ff_get_guid(pb, &g); if (ff_guidcmp(&g, &ff_asf_header)) @@ -754,7 +780,7 @@ static int asf_read_header(AVFormatContext *s) asf->streams[i].stream_language_index = 128; // invalid stream index means no language info for (;;) { - uint64_t gpos = avio_tell(pb); + const int64_t gpos = avio_tell(pb); int ret = 0; ff_get_guid(pb, &g); gsize = avio_rl64(pb); @@ -809,7 +835,12 @@ static int asf_read_header(AVFormatContext *s) len= avio_rl32(pb); av_log(s, AV_LOG_DEBUG, "Secret data:\n"); - if ((ret = av_get_packet(pb, pkt, len)) < 0) + if (len > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported encryption packet length: %d\n", len); + return AVERROR(ENOTSUP); + } + + if ((ret = av_get_packet(pb, pkt, (int)len)) < 0) return ret; av_hex_dump_log(s, AV_LOG_DEBUG, pkt->data, pkt->size); av_packet_unref(pkt); @@ -923,7 +954,7 @@ static int asf_read_header(AVFormatContext *s) static int asf_get_packet(AVFormatContext *s, AVIOContext *pb) { ASFContext *asf = s->priv_data; - uint32_t packet_length, padsize; + uint32_t packet_length, packet_ts, padsize; int rsize = 8; int c, d, e, off; @@ -1011,7 +1042,12 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb) return AVERROR_INVALIDDATA; } - asf->packet_timestamp = avio_rl32(pb); + packet_ts = avio_rl32(pb); + if (packet_ts > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported packet_timestamp value: %d\n", packet_ts); + return AVERROR(ENOTSUP); + } + asf->packet_timestamp = (int)packet_ts; avio_rl16(pb); /* duration */ // rsize has at least 11 bytes which have to be present @@ -1030,10 +1066,21 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb) rsize, packet_length, padsize, avio_tell(pb)); return AVERROR_INVALIDDATA; } - asf->packet_size_left = packet_length - padsize - rsize; + + if (packet_length - padsize - rsize > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported packet_size_left value: %d\n", packet_length - padsize - rsize); + return AVERROR(ENOTSUP); + } + asf->packet_size_left = (int)(packet_length - padsize - rsize); + if (packet_length < asf->hdr.min_pktsize) padsize += asf->hdr.min_pktsize - packet_length; - asf->packet_padsize = padsize; + if (padsize > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported packet padsize value: %d\n", padsize); + return AVERROR(ENOTSUP); + } + + asf->packet_padsize = (int)padsize; av_log(s, AV_LOG_TRACE, "packet: size=%d padsize=%d left=%d\n", s->packet_size, asf->packet_padsize, asf->packet_size_left); return 0; @@ -1068,22 +1115,23 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb) return AVERROR_INVALIDDATA; } if (asf->packet_replic_size >= 8) { - int64_t end = avio_tell(pb) + asf->packet_replic_size; + const int64_t end = avio_tell(pb) + asf->packet_replic_size; AVRational aspect; - asfst->packet_obj_size = avio_rl32(pb); - if (asfst->packet_obj_size >= (1 << 24) || asfst->packet_obj_size < 0) { + const unsigned packet_obj_size = avio_rl32(pb); + if (packet_obj_size >= (1 << 24)) { av_log(s, AV_LOG_ERROR, "packet_obj_size %d invalid\n", asfst->packet_obj_size); asfst->packet_obj_size = 0; return AVERROR_INVALIDDATA; } + asfst->packet_obj_size = (int)packet_obj_size; asf->packet_frag_timestamp = avio_rl32(pb); // timestamp for (i = 0; i < asfst->payload_ext_ct; i++) { ASFPayload *p = &asfst->payload[i]; - int size = p->size; + uint16_t size = p->size; int64_t payend; if (size == 0xFFFF) - size = avio_rl16(pb); + size = (uint16_t)avio_rl16(pb); payend = avio_tell(pb) + size; if (payend > end) { av_log(s, AV_LOG_ERROR, "too long payload\n"); @@ -1484,7 +1532,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, ASFStream *asf_st; int64_t pts; int64_t pos = *ppos; - int i; + unsigned i; int64_t start_pos[ASF_MAX_STREAMS]; for (i = 0; i < s->nb_streams; i++) @@ -1541,7 +1589,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t ret; if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) { - return ret; + return (int)ret; } if ((ret = ff_get_guid(s->pb, &g)) < 0)