From patchwork Sat May 7 09:36:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aman Karmani X-Patchwork-Id: 35626 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:a885:b0:7f:4be2:bd17 with SMTP id ca5csp2088489pzb; Sat, 7 May 2022 02:37:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwCj8qBkJ1w0Rg4ieEA1I2m6dLi56mRXA/ZMv5f1HVn45rIbTqm3WXckwVM6NxCy1I/L9D X-Received: by 2002:a50:a454:0:b0:425:e94b:2f1a with SMTP id v20-20020a50a454000000b00425e94b2f1amr7883931edb.330.1651916248945; Sat, 07 May 2022 02:37:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651916248; cv=none; d=google.com; s=arc-20160816; b=h/CQE3Jb/Klu1Acup2sxafcEVBcb7/+dVMVDxBKLEg/n6BslVefwmNtFSn3UBeKLWJ Pm5xbhgACOHF0nTmL/u33+OEK48lzWf5tmdEu8c9EU3581MWcLYnt/L+oHfp0NIEUZ7/ Pi2gvZ4Rep5cPc4B3LscuiITzZOX0hCDiqAkBJLHcyacPZJHti9fzKvyN+Z2+mLJjRdW lbb1WMsKiFZzeRI50P/k3LWm3j8m5hf1Jj+WU42q0gKoMmC28tLxX0XgKr/DDceFO/6N j8sfNd2eRaltqSFDGvbSc/AzJc1wrt2al5AP2UBpMXlTATWta91lapxImwdIE9ZlM3BS FnUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:to:mime-version:fcc:date:references :in-reply-to:message-id:from:dkim-signature:delivered-to; bh=rNQr/TDdeHqK+ph7DoycWrU39xfmZ7MhpzHC5zPIEbY=; b=WxY+zKeuCMWgrQ8tnbGtlf8hWBSMJ8jybLwi8mR8Z5k+qjK9VZ4ETsAdsxvkCovyE7 4qQDIus5ZE7ixI1LPDYny2SFM5eS0nYeEcZ5U9Zy4TGNrX7UjpDWwPpoOgkJJ0NHwLAF 2dHX6V85ez9W7Quo8YI2TIZC1PBCcc2w6ys9FkeFtTxvPSPFzuthd20NhCttTW1GzC+K nu67tkTy8+FD4ZkAOmZYf9d28wja7Pv3og8pPlmAgqv/14+Ycr3/9ZjdeD1e4YG8mZep ZOS+WiK58//ludkULr6AeEhTXDYnZyKyziRJL50Ci3OnpkQPTz/doIKGwfIu9cdgYqGL ob/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b="aIa4RgM/"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id qh8-20020a170906eca800b006f3af703817si7297363ejb.325.2022.05.07.02.37.28; Sat, 07 May 2022 02:37:28 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b="aIa4RgM/"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EC15E68B3B2; Sat, 7 May 2022 12:36:58 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CADA368B245 for ; Sat, 7 May 2022 12:36:51 +0300 (EEST) Received: by mail-pj1-f44.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso12894960pjb.1 for ; Sat, 07 May 2022 02:36:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=NmxjztsO/aMEI4ZIIWduC+7DVJorVfv9nSGOMG/ETP4=; b=aIa4RgM/mdn2dYjuDVZrp5Ily0XA8ULUbAXTa7I3/pou1BihfO9l3FSylvp8hHbNIR Rxa6bMi7wQyifOQVW4H9++hfUqQDQ3uuG/v2RzqvDBXFSNhNbMgPqkiOfMiKs5OAoEVZ IE1/Ies1vS9pxsj+6vIBQiQNBJxi2XQHidjfcKG6m026+p6GfnAwjU/K4hoUOMqHP4VT 6bQteNgMAwXpiBIbggRrO9qrLE1U7Q1AjAYQNvalOKD3WaUhVCEQ5v6A8kJuv/uwea8+ d9NX3QD7yzDJudo2MvkcqEVIPjNWNfNmNQhG5KBeeHPFcoTfU31QsGWXsqJO+JJfH0AI XJkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=NmxjztsO/aMEI4ZIIWduC+7DVJorVfv9nSGOMG/ETP4=; b=aRKlX95JAPh1q3Z2IJ7ZjkhGqy/1hsojZoY1l872ApBatccUMxL//5tM71GpKT8Vdo Vf/CVjkBCq1MsTPOz7tFEgf6egRMroN188E4Zaieurn3HzN4ZLk1Z7zGuZtvdRWk3xYw sBuMVQxf38t+FUHdomAeDVlXS0atVF2sqJ7GHx+SPvSlG7LTjnvfvPnmReqGAdQ8yZ0U iA2FJaHwJABjg0i0PPLNsE7bARcETLHXMd/W3LSGG2LnZFog+FCbbL7Pns4jUB9ExSCI P+5wwhfdwVEIqV0COaN0XSCDXwOGWobWRClmtO0C7e04ARRfeVr9toDC9sEibm6Rexdn AtRA== X-Gm-Message-State: AOAM531kQw7Vmm9Dts9dnCZenD4kigK+tdmPMkMTe0BOGpROvTSG5oJk AJPQHmbDPbTHDukIfbl4VSRViQmrDpY9XQ== X-Received: by 2002:a17:902:e844:b0:15e:b2f4:497e with SMTP id t4-20020a170902e84400b0015eb2f4497emr7419330plg.43.1651916210092; Sat, 07 May 2022 02:36:50 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id s14-20020a056a001c4e00b0050dc76281fesm4801185pfw.216.2022.05.07.02.36.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 May 2022 02:36:49 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: In-Reply-To: References: Date: Sat, 07 May 2022 09:36:36 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: softworkz Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: jpIc8RE1QpZc From: softworkz The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index d31e1d581d..29b429fee9 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) static int asf_read_content_desc(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -614,25 +614,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM);