From patchwork Sun May 8 03:01:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aman Karmani X-Patchwork-Id: 35690 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:a885:b0:7f:4be2:bd17 with SMTP id ca5csp2386963pzb; Sat, 7 May 2022 20:02:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJypTIllEeVzwmonhy9uVbkdHbJgmV4FanDQbCHH48nQQ/KXRW+r0yR5rHBrV2x5OsEx+++k X-Received: by 2002:a05:6402:4310:b0:427:f6e9:76b3 with SMTP id m16-20020a056402431000b00427f6e976b3mr10982644edc.324.1651978923288; Sat, 07 May 2022 20:02:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651978923; cv=none; d=google.com; s=arc-20160816; b=0oWJ/ovJp525Zr3KiFs7pxziKXkcTzKMjFKYgkQAEdJL4bQlxD0o3g5C9lrWosHUz2 0QVA7iR3KIw3KpgXkkJ0jcn4i/gpkbGA6/AQcuZtC9eCE3XwC47njvUGVRA/450WKrY8 VYna6TWd1mDzJCNpW6XXQq2GL+vEGZqBnzy60kO/5gJH+2mPLH/EIbeY7uQDPhU9ND4W gFPPgFFL6T3aXMQYCXUQ7VRwkag6TbfFsYMCnGm1ASckH1Buv+wYnmN8+UYjla5Pueo7 CPfz3E72a3W5xZmD77Nvl1GdDNkQPlZl01l69a1rmM02iLY1oFpePrsHUr9caHxJYqYq ap1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:to:mime-version:fcc:date:references :in-reply-to:message-id:from:dkim-signature:delivered-to; bh=bcZiLo/dOXAO6ZNPN7PfocYtDpl7Wkm66ecygLj0uA8=; b=og1EBlSlcZaKk2L/9p2fVyR7xVIc7hVK8CoUeTu8rTHoNHZn0VsO3+6mBjxmjEgqsP cLrWgwhZa06qMkob5KaqnRdDNcwn3pFXBfAwSHrbsT3iujRxVJQA4D8v/lkkaISZtwzL VuTg1iCgDz3a75BxL+Zlf/PEk2z7ma2rEAE1e5lUr9tiP2otZL9CcW3VrR5jbiFFCh0O MuV9b5M4Xv8D9LhgPBFoqNCPZnKpCJVTCQeSi/TksOuEsfrgqsoGFiZdeSyqHArXIF2F XAjRF/YWC+ExJEgVnwBZ7mq4npSpm/ghkFHSPS2mDpFzvkVq/igYZmxYrMAq03VMHxtf /zUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=OsKCZHCd; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z11-20020aa7cf8b000000b00427c167bb29si7976605edx.520.2022.05.07.20.02.03; Sat, 07 May 2022 20:02:03 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=OsKCZHCd; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8A34368B3D5; Sun, 8 May 2022 06:01:35 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 463C668B37A for ; Sun, 8 May 2022 06:01:28 +0300 (EEST) Received: by mail-pj1-f50.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso14207304pjb.1 for ; Sat, 07 May 2022 20:01:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=U6G3Gcqc4BDvq6czQkc9G5JRQxAYE6REuA4XWF79ATU=; b=OsKCZHCdMEcfHx8sNNhTcyRjAWwEV9kNXaXSVIZ3/TaPFcMRN3dQY5SB8f8Jh2GqRI 4j3aBQUWSWaMLKZJuJ8okW1aaUNMrGpOYID0Mq3jVFQbGE4t7HoM1vuzn/PZrjf/IiJ3 Nq88CqChn8OxtUg/uS0PRjVFPPVxlGGqLextKvri4vwzuzgftBfw79lnv8Yl1WhvrbDO RSlBiuOhvpJjqH2lVVdkP/UoltfouBGoMajxIrksCXt6InWG9nMTHEqewqNpZ5IAqOkP 0TvvnIAiQns0m6LtQs5C//QpmSDamTDOXkY32RBG0CM/GbSkNrR51lXYjXInG3vRH0OQ 2QJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=U6G3Gcqc4BDvq6czQkc9G5JRQxAYE6REuA4XWF79ATU=; b=I7tDVYdxPI9Rafiyxs+o1eC/5qWQw6oR6Ztj9INhPEJS2NQDhfkOL9hUlXISfHkv06 OCnQmoh1h8BCuyGTqI5/5Epmt+V/UnGL7KyF4zFjez/vgFWSyDVzs93oPfr1/K8OC+xw GuGk/5fv74JUhLExUkm4P47nCMXxfAfxWooodxGbvWZyXfPIvIOpjiAqYbKRrFVRk1Kz /ksizxOwOk6qiSSXP2+ydjcaaLXQJ1VYay9UpPgLmLHUKlIV4DlAnzvMHiy23DPZHWFV kZ3HWDoK6b6S5SEzNfvpFtZbQ77EI7NUUIFJ4mL/fp1WuGxmIVMq1mfHBTR6cLzpXcax M+5Q== X-Gm-Message-State: AOAM532n2d272FjugPVW7anL26csY3XktEP8kKLrcmNUrou2C1R5mybP napbp0oFxDp3KSmCtxj/OSkPE+daBgFqXw== X-Received: by 2002:a17:90b:3a86:b0:1dc:228f:6a1f with SMTP id om6-20020a17090b3a8600b001dc228f6a1fmr19956982pjb.230.1651978886748; Sat, 07 May 2022 20:01:26 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id lb15-20020a17090b4a4f00b001d9781de67fsm6206372pjb.31.2022.05.07.20.01.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 May 2022 20:01:26 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: In-Reply-To: References: Date: Sun, 08 May 2022 03:01:14 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Michael Niedermayer , softworkz Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: FsBbnxnFkmX5 From: softworkz The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 0fa2bbf653..3014ef558d 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) static int asf_read_content_desc(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -619,25 +619,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) ASFContext *asf = s->priv_data; uint64_t dar_num[128] = {0}; uint64_t dar_den[128] = {0}; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM);