From patchwork Tue Apr  2 02:28:03 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eugene Zemtsov <ezemtsov@google.com>
X-Patchwork-Id: 47721
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:9f96:b0:1a3:b6bb:3029 with SMTP id
 mm22csp1099466pzb;
        Mon, 1 Apr 2024 19:29:56 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCV1BAqP7JS+zB63qQDO46SJHcek8oQIrNHJGt7AhnwRaHajWiXU517KmUQA0aAPV4A+qzYzheU3Zh08hYtSJlf3lfkEaQw2wWu4/A==
X-Google-Smtp-Source: 
 AGHT+IFWqz7EBMkiPbb8VmTAluBQq6W025sgj85RWNBlPkKbIP7adXWrSaS6c8pmwuX3RSgSL04S
X-Received: by 2002:a17:906:fe42:b0:a4e:375b:ef23 with SMTP id
 wz2-20020a170906fe4200b00a4e375bef23mr7003861ejb.0.1712024996224;
        Mon, 01 Apr 2024 19:29:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712024996; cv=none;
        d=google.com; s=arc-20160816;
        b=1Dk3qe9cVoMgGaTc9MSqGvEV6ry5eu3iKvjUHAyeyVwqSI10FIDJbB+gwdvV75Uz4D
         ktCsSb4T1e1ySazaIPPz7cZNIqcqHOg6XOJh1ZQtfMsn5XegElQdHGYQrkMpD6gBTOKk
         Bq4MGHbm2mTPhCEJ3xqfefrVwoZm+Fbd1k22xl/3phhGPs1pfiqYCrwN8Cd5YKZzF8BI
         66yR4+8J+3SClefKprMPaZkd3qJPVAyJmvuYuc22b0ukyBJx2jS8y4YboBx2CqdhXX6g
         1HSGLYIFsxXEy09NIGJzTrwAU0yZnFIn3NkfLOtbdmAqqalHRp1PpLxyXt47jqKj+65e
         i6Qw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to:from
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:to:message-id:references:mime-version
         :in-reply-to:date:delivered-to;
        bh=mBA59lbR9IYVJ2s63POz9mfUgWC992SzT67lNQ+h+f4=;
        fh=/9RAhijlZj+WphHRSZsZ9sLSydmlaGzIcPxS+9T0zWY=;
        b=tM/4DRHY8DUumrTU6I44NJb5zJXOcLLSUxI6Ro/nIz6WUQsd7D7HNMT+EGAjBWUGKV
         /BNJKxDIM5+AjduOMVRFXb2xf/tz0y3Ka3Nx6vBnGvfWsMILwx5t7FBbKwvar2KwKas/
         34hFxV3lTr+z44Ibgo4erMqX1BO2Aib7vdrn9gbS5gOU4XdCREn4Np3TPy7GxlGaBJLe
         51fiC5iZnjGOehTvLJ8vl9CfJ7d1EI6hRyFw8xm9FYsh6D1Kj9MmPpkTbpecPS1j54E5
         VJlKFByoEj3Z5S/3Ej9Bs5kg1gyCQOvBXhp+5az6RIkRVe1IoN01Lp5CqlZj8KJ5o5Vh
         kgOQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 z1-20020a170906074100b00a474a4c6081si4914205ejb.173.2024.04.01.19.29.55;
        Mon, 01 Apr 2024 19:29:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 330C468D0AF;
	Tue,  2 Apr 2024 05:29:53 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 28BAE68BDE1
 for <ffmpeg-devel@ffmpeg.org>; Tue,  2 Apr 2024 05:29:46 +0300 (EEST)
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-5e4f312a995so2321343a12.2
 for <ffmpeg-devel@ffmpeg.org>; Mon, 01 Apr 2024 19:29:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712024984; x=1712629784;
 h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
 :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=lvRbwNSJLGpIwoT1pRnjepaHAy6CXfp7PyWu6Y/nWfw=;
 b=u7f/5vBEcG6liw9+PoERVvZ8qAGqtqvKXKmpvuueCxKQjVymVBe2lIx3EVx2j7EUHK
 tRR1LNjBDnlF6073YjeMirG6W1OQI5YDVjjDGOpUIOSE8Bn7Yk6AFezy4cy4qqY/pSoH
 lNcSVXJxXqPKkl+iPVRP7vAV+hTU2pZ4NG5vFpP6GDhwmyk2+AZVNwYTXquG7hGaDjai
 qnW5JCmMmGgAv1f+7uakDZFt84zUES2iBc6OXMikZykv+YPuZZ9ua00oSQLVgI1nmxtC
 6DrAVzA+eKP6re9t4x/fh+SgCCcp//DVp9wQw7x0SkqEdNV2CW9tDkBORSUXp15S/GIE
 O82Q==
X-Gm-Message-State: AOJu0Yy/yrqMii74IrT5kZYkwffdt5yVGnUyALac9FvW0N0Zqy2hdAqZ
 XHwdHnC1BZ61lLou0w4Sy1+dnMCvirlF1C8X0kkeDyOLKSKjfGK4aoKHYoMLUMcsjx2I3QW0IDJ
 FcUDtu3MUukdL2IbIdAgfn/ZYMONTUHlIG4WoA7HL65JpyF66h8CQQ2OEnQKjffY3AHGsZiBjpT
 jXRX+iT5m37Vd1Kf1oNkUofR9C3P3+Rbk8odMH5s4/MHU=
X-Received: from ez-linux.bve.corp.google.com
 ([2620:15c:7d:6:e80c:319b:f389:8bbf])
 (user=ezemtsov job=sendgmr) by 2002:a17:902:e751:b0:1e2:3051:8194 with SMTP
 id p17-20020a170902e75100b001e230518194mr1006734plf.11.1712024983548; Mon, 01
 Apr 2024 19:29:43 -0700 (PDT)
Date: Mon,  1 Apr 2024 19:28:03 -0700
In-Reply-To: <20240402022928.585868-1-ezemtsov@google.com>
Mime-Version: 1.0
References: <6ba08b58-2831-4e9b-8f22-1812d2e59a84@gmail.com>
 <20240402022928.585868-1-ezemtsov@google.com>
X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog
Message-ID: <20240402022928.585868-2-ezemtsov@google.com>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH] mov demuxer: Check if a key is longer than
 the atom containing it
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
X-Patchwork-Original-From: Eugene Zemtsov via ffmpeg-devel
 <ffmpeg-devel@ffmpeg.org>
From: Eugene Zemtsov <ezemtsov@google.com>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Eugene Zemtsov <ezemtsov@google.com>, eugene@chromium.org
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: iL2Ywntyuz0S

From: Eugene Zemtsov <eugene@chromium.org>

Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.

Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
---
 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 662301bf67..2d92e7963b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5048,12 +5048,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     for (i = 1; i <= count; ++i) {
         uint32_t key_size = avio_rb32(pb);
         uint32_t type = avio_rl32(pb);
-        if (key_size < 8) {
+        if (key_size < 8 || key_size > atom.size) {
             av_log(c->fc, AV_LOG_ERROR,
                    "The key# %"PRIu32" in meta has invalid size:"
                    "%"PRIu32"\n", i, key_size);
             return AVERROR_INVALIDDATA;
         }
+        atom.size -= key_size;
         key_size -= 8;
         if (type != MKTAG('m','d','t','a')) {
             avio_skip(pb, key_size);