From patchwork Wed Oct 6 06:00:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Soft Works X-Patchwork-Id: 30924 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:6506:0:0:0:0:0 with SMTP id z6csp54692iob; Tue, 5 Oct 2021 23:01:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyiGO4YMLGeww4L87LNONEznSda6HApvv3HSNHKsTyDnnl5On5ByQXxEDWV86xotxu0M6NK X-Received: by 2002:a17:906:c7d0:: with SMTP id dc16mr30809080ejb.555.1633500080126; Tue, 05 Oct 2021 23:01:20 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id n22si2473333eda.113.2021.10.05.23.01.19; Tue, 05 Oct 2021 23:01:20 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@hotmail.com header.s=selector1 header.b="mgy2Wj/F"; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8679C68AA54; Wed, 6 Oct 2021 09:01:04 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2084.outbound.protection.outlook.com [40.92.19.84]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6148468812E for ; Wed, 6 Oct 2021 09:00:58 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JhSGxQqubW6OhLuvOR88gidJGNSk/P3y/BJOjl7MH+lPzFqjBAZzAD+OyhPtQC+LWau6Lt+h6E9H9NALijPlWt1tVTnkNdOe+ahh+9CfdHduMcR5UQKU023ZYv1GnwVl5BZNLl1CUWHaekRmTtW1FJJ/GxsgeZ9rq9YH1Fk45KzwiUYs2EaqrpNp4lJrzvPz1ZD7D8GoveQ6+ICTa5W4hamzHRzgd/0IUcCwH7/r7DO4/PorpLswGza3MWZozvW3aWsftxiAScP+SZpeUVsdepV+bl/V8lXUJgHPASwpFFj5bCmzoozuzIuCeECWQgFWHvGS0JSb5mI/PGzdCYBNzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LOlnfkl3v9wMMmrS/GM3Owj6lZYimq3sTXViLGAwyV4=; b=kTZKnvt+rHhAsvslGB2Muq5KDlh6hZcCJ6B3ekJJLW9hV8BkHuW3V0DGt0o3Zs3an2bmLXc4HdWNtWniCKjsiIzKibOy4Ug+K2Xec21j7ujASk7YNi7wqBcPGIZh9VM6AfTWgvs5Wj6mwg5x1fryETIgXh5PJHx6s6A+3ADk3wuhDldoQrSDe7m3qi0r0sJhW42h08P24edqd8Xyq3Own5JxjF+ZHf3X9l+4iq4hxy1XkIpmxJjDU1nev9ZSVNS6O5WzIN6pA22neJhc7cfZhN3Rid2MYWEt5SF57LFmrTRnP/eTdOBJ7VnvYghh9yIHkSLlnK1HBpaBTtoZ1n1FfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LOlnfkl3v9wMMmrS/GM3Owj6lZYimq3sTXViLGAwyV4=; b=mgy2Wj/Fx+3VfSJk2bUbJDQmxMCDu630HoM+dob7+eKs/EzL3rqY/IgVGz6GgC2XZw/lndgMh0a6JJmv1M693/Ina1nyB2OIAuhNYRDYNtBEcr6d+C4MAJGARlKfDY3rHRUhSj8KPe7/kCb8ZL7+N37F/Qb3r0HiPU3I86UeYDmprzhBPb/9FLumiHM34YYkLo4Q6c8YxmTntlXtTYtTPRYxkyn+cjWtgfnq5tZVhVN43QWmLHasMxYxkNl78mCGrDAoD/XLuMTJvuE7XyPdagW8PO5yD9po+iT0PvRSDlOjnKmV4iY3LQUtvN+N0nKqgYrS48T25h4YYmj8xDKwiw== Received: from MN2PR04MB5981.namprd04.prod.outlook.com (2603:10b6:208:da::10) by MN2PR04MB6253.namprd04.prod.outlook.com (2603:10b6:208:d9::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.13; Wed, 6 Oct 2021 06:00:51 +0000 Received: from MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb]) by MN2PR04MB5981.namprd04.prod.outlook.com ([fe80::ecfe:2528:2012:22cb%5]) with mapi id 15.20.4566.022; Wed, 6 Oct 2021 06:00:51 +0000 From: Soft Works To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH v6 02/11] libavformat/asfdec: Fix get_value return type and add checks for unsupported values Thread-Index: AQHXuneEhvpKpv9330GCLtljmq5dLA== Date: Wed, 6 Oct 2021 06:00:51 +0000 Message-ID: References: <04c4183da3bb06cba3013b35c928876c5c8959f6.1633499980.git.softworkz@hotmail.com> In-Reply-To: <04c4183da3bb06cba3013b35c928876c5c8959f6.1633499980.git.softworkz@hotmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [kZN64998EfqCeT7s2fhXNSC/bOzkySJW] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ca38bf1a-b1ae-406e-16df-08d9888ea6f8 x-ms-traffictypediagnostic: MN2PR04MB6253: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: AztzBqhzZcC1D7/BtVK1DecizgA1bweDxJvKmeBCj+CDWehd6wZHQh7VpsjbatxtfyAXC4MD60M2F5L4hosc3yR6fcVnAk99nyVR+0EsTHBiL9vqsz9BVDnrPd/hnaJwz6EVhtUVwljbTFRKNn0TyB/HzglK7qm4kstCFb0cKIOw/nrPTDpsA1BjR0r08UKHXCHgYTWNIYvpimT9BPR9aftWbZpZ/zrOuRLP/qBNsKd1+dM8Cwgi7rxa9h/fr2fTOxLpraGbYhA62ScQWzPzMT/6wKufwpmoBHmOEqXwdVqS96yM5R3K962Xu+DpPCYaR0dbIod1HSTwxkf6+wTCwDfS0kI5ptoPDNLz19At1k3mlqL5xp9xXuAfbafIn8i5atB7ai45BcefC58M+lItz00mOkzHG0fohJDZTcq+auv4Y9opiIC1PPbtgWFRrMw1 x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: zgZLJbf5QbZZs11CmKaF0g32445AaWnrkoNOKx0CYzIz3g4xGv5zwbfE/z6estSEk76dPc0iDgOl4bYa5ZMZVv9WiTPkwlqVnoTrZuMGQC0R/HU2rPzXLh1J2Bd7wOjCF24bhQRxt997/T+MaW04yA== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-3174-20-msonline-outlook-529c7.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN2PR04MB5981.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: ca38bf1a-b1ae-406e-16df-08d9888ea6f8 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2021 06:00:51.6646 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR04MB6253 Subject: [FFmpeg-devel] [PATCH v6 02/11] libavformat/asfdec: Fix get_value return type and add checks for unsupported values X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 7CA9//boU/Dp get_value had a return type of int, which means that reading QWORDS (case 4) was broken due to truncation of the result from avio_rl64(). Signed-off-by: softworkz --- libavformat/asfdec_f.c | 38 +++++++++++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index a8f36ed286..d31e1d581d 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -202,7 +202,7 @@ static int asf_probe(const AVProbeData *pd) /* size of type 2 (BOOL) is 32bit for "Extended Content Description Object" * but 16 bit for "Metadata Object" and "Metadata Library Object" */ -static int get_value(AVIOContext *pb, int type, int type2_size) +static uint64_t get_value(AVIOContext *pb, int type, int type2_size) { switch (type) { case ASF_BOOL: @@ -567,10 +567,22 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size) /* My sample has that stream set to 0 maybe that mean the container. * ASF stream count starts at 1. I am using 0 to the container value * since it's unused. */ - if (!strcmp(name, "AspectRatioX")) - asf->dar[0].num = get_value(s->pb, value_type, 32); - else if (!strcmp(name, "AspectRatioY")) - asf->dar[0].den = get_value(s->pb, value_type, 32); + if (!strcmp(name, "AspectRatioX")) { + const uint64_t value = get_value(s->pb, value_type, 32); + if (value > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", value); + return AVERROR(ENOTSUP); + } + asf->dar[0].num = (int)value; + } + else if (!strcmp(name, "AspectRatioY")) { + const uint64_t value = get_value(s->pb, value_type, 32); + if (value > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", value); + return AVERROR(ENOTSUP); + } + asf->dar[0].den = (int)value; + } else get_tag(s, name, value_type, value_len, 32); } @@ -630,13 +642,21 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) i, stream_num, name_len_utf16, value_type, value_len, name); if (!strcmp(name, "AspectRatioX")){ - int aspect_x = get_value(s->pb, value_type, 16); + const uint64_t aspect_x = get_value(s->pb, value_type, 16); + if (aspect_x > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", aspect_x); + return AVERROR(ENOTSUP); + } if(stream_num < 128) - asf->dar[stream_num].num = aspect_x; + asf->dar[stream_num].num = (int)aspect_x; } else if(!strcmp(name, "AspectRatioY")){ - int aspect_y = get_value(s->pb, value_type, 16); + const uint64_t aspect_y = get_value(s->pb, value_type, 16); + if (aspect_y > INT32_MAX) { + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", aspect_y); + return AVERROR(ENOTSUP); + } if(stream_num < 128) - asf->dar[stream_num].den = aspect_y; + asf->dar[stream_num].den = (int)aspect_y; } else { get_tag(s, name, value_type, value_len, 16); }