From patchwork Tue Nov 1 00:17:23 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1243 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp404847vsb; Mon, 31 Oct 2016 17:17:34 -0700 (PDT) X-Received: by 10.194.127.40 with SMTP id nd8mr3497225wjb.43.1477959454359; Mon, 31 Oct 2016 17:17:34 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f4si27702623wmf.0.2016.10.31.17.17.34; Mon, 31 Oct 2016 17:17:34 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 232B3689C11; Tue, 1 Nov 2016 02:17:29 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0EA75689913 for ; Tue, 1 Nov 2016 02:17:22 +0200 (EET) Received: by mail-wm0-f50.google.com with SMTP id t79so79910516wmt.0 for ; Mon, 31 Oct 2016 17:17:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to; bh=sT8N9NBgdYCY8v2Dr/oua0M8sTKAt2F2cI2QinyjE1c=; b=zMCG4AYsvN8StTh4SN26yByAY0FOWDh+swAgknJSmEX/7ePuLjlOolBak6xMD5MSt2 JPrJKIyKvIE64feDhHw9Cf/T4b/Pw+KD5RkeT3BXKyUsGXZ02+/3kBkN1qz/0oxpQcYJ QYHWO7n8Tyg1+nTGuSTQtsAxfLkgWz2B6I0ofP6Lv+9BSZQsW902Tca6xQCop6s9nbFm 6E/ZGsGYZlua6fBEhGUSRJL0RORghWLmrmYJaE4AhYCkVnEEbxS0joTMNYMcsVGn+9zV ZqYlffQknsrNaWlWN5Lg/e3Ro0jmMOG43OaRjMZHHkjaQ8+U3+N3RRxWsjZsqcplZJrF 1k8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to; bh=sT8N9NBgdYCY8v2Dr/oua0M8sTKAt2F2cI2QinyjE1c=; b=aO6S5MAXS3S1llqt59o3HY/8PXhpZG0U/xZcIPePP7zQw/jjG+39217LZ11wtpdVSP YgSx2MbATZ32qhdQ1Kl6g4bDmZpfYN5Indrm15BYBbz8uP/mGxXHuYOsTOiwJWOyMdgC dN0V/I1K7AUJudfqQqo17yKGWtL3GILcwlPNr5Vr5U9SGfHcDUHF+DNN//T6QGuDy8gp s2havH63rdv8ZPsXbEj34ylhy/cEd+INxR/t6Ojl0ZPslCjm2JpEMhbQ+oZggLMNn37o vQpDeUQ7XRmCgQwUjQrrOkZ+qeFWoj+72F40T6udup2A9MsQdNejzrbMZc9vWZ/biM1j r6jg== X-Gm-Message-State: ABUngvfZ9yBXCh7NXVLy8JMZWa+nF6RjZpOY7edcX4Ie8fTBAXH+imGRIp1nkRXPxXDD2w== X-Received: by 10.28.97.139 with SMTP id v133mr8773455wmb.117.1477959444809; Mon, 31 Oct 2016 17:17:24 -0700 (PDT) Received: from [192.168.2.21] (p5B095E4A.dip0.t-ipconnect.de. [91.9.94.74]) by smtp.googlemail.com with ESMTPSA id 130sm27339016wmf.0.2016.10.31.17.17.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Oct 2016 17:17:24 -0700 (PDT) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: ffmpeg-devel@ffmpeg.org References: <41ecbe4f-8f70-809f-7d75-1012277f0b97@googlemail.com> Message-ID: Date: Tue, 1 Nov 2016 01:17:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: Subject: Re: [FFmpeg-devel] [PATCH] mov: only read e_old if there were any old streams X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On 31.10.2016 19:20, Sasi Inguva wrote: > First of all, if nb_old == 0 i.e. there are no entries in AVIndex, then > there is no point in calling mov_fix_index function at all. So instead of > doing the above , you can directly check for st->nb_index_entries > 0 at > the top of mov_fix_index and return otherwise. OK, patch doing that is attached. > Also, I don't understand how nb_old==0 can cause heap overflow. If I read > the code correctly, if nb_old==0 find_prev_closest_keyframe_index , should > return -1, which would make the function skip that edit list here > > if (index == -1) { > av_log(mov>->fc, AV_LOG_ERROR, "Missing key frame while reordering index according to edit list\n"); > continue; > } This checks is four lines below the heap buffer overflow, which is obviously too late. Best regards, Andreas From 634682d0628d02a2941140800e901611bfee2d0c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 1 Nov 2016 01:05:01 +0100 Subject: [PATCH] mov: immediately return from mov_fix_index without old index entries If there are no index entries, e_old = st->index_entries is only one byte large, since it was created by av_realloc called with size 0. Thus accessing e_old[0].timestamp causes a heap buffer overflow. Signed-off-by: Andreas Cadhalpun --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 414007e..7614632 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2961,7 +2961,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st) int first_non_zero_audio_edit = -1; int packet_skip_samples = 0; - if (!msc->elst_data || msc->elst_count <= 0) { + if (!msc->elst_data || msc->elst_count <= 0 || nb_old <= 0) { return; } // Clean AVStream from traces of old index -- 2.10.1