From patchwork Wed May 6 04:17:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 19513 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id A908644BDEE for ; Wed, 6 May 2020 07:17:55 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 77D5968834D; Wed, 6 May 2020 07:17:55 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 41CFF6880EC for ; Wed, 6 May 2020 07:17:49 +0300 (EEST) Received: by mail-wr1-f66.google.com with SMTP id s8so451554wrt.9 for ; Tue, 05 May 2020 21:17:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=mZf97wiX/cIKmy0vsZHxnwHly1q/9kT78Qk2IqnRtd4=; b=RRdjLZMYUx/PYnC6WLjVLoIc3ab6SSiHg06wyLc442AJ/AMrgsxgUB7eVGjsVBiixS JEej15WsZKBQ8xqQmCC+g2bFd6mvIZRByEtzAG0y8uhmGT3Zl1yI6BvKSGyMS9uHowmt k6OSabVv1EBWxAKi3JvrMULVbhzI8tD9a1Qlwi8pBOBszi6GO87jJdY5edMZvZKwlHkY 4DqNBM7cS0NM8MJqdNxkUMVshy5bddUE1prZ28cAjHBx2ibKOtbmk8nZ29awXn6P1ch2 CTIZlJu91hmL9XM2+QyWFyjDVQqj6YDtXGYJVKNYr0L/sSADP9+9yaPEGpp0iLfwnWdl neEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=mZf97wiX/cIKmy0vsZHxnwHly1q/9kT78Qk2IqnRtd4=; b=s/7PgD2WVJxCNYJg5sUI91PHyml/QEPHN74l5uXVq8m5mVzF6UuaDdgBCL7X5tDVc0 SpXi0oS/prdrZ/ijW0m8i22Pb6+okwL0uni19vlNvYtsPt/tA0AeH/t1rO38LsWxFDEq ICC9B8gHGw0u9jFUBDpVpvxMI9fNRP40wB0rd+t1prziBDXKGT8jscvHLcf2lLLEmZtf h3tjW72QjiKLh5sXri/NUEeMxoDBPhFlRCJh8V0vn3pKq1RZfxUjciqvz/yuxSUxZ0GP xB0JwuEhulXGkD/01Vfi1ZWLh9DZeH4eq43dhUfAYOoJmqfZKVXyVE7YwKgp9JN+u1SK 7jYQ== X-Gm-Message-State: AGi0PuYW1uPk8s9UiW7tD8W7cXPCB31VnuoZLDODT2xSPRNmzPdvXXvV d79H+ka/YcTOKIRndleZ5+2J/pZR X-Google-Smtp-Source: APiQypJkQm/KMQVcL2vCcQQUai0IqhB7bljtaSdYVNvoAWEVJyrUfUjym8BLfOuIkyCdH/kAcHWLUg== X-Received: by 2002:adf:de08:: with SMTP id b8mr6911968wrm.76.1588738668201; Tue, 05 May 2020 21:17:48 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id k5sm603687wrx.16.2020.05.05.21.17.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2020 21:17:47 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Wed, 6 May 2020 06:17:41 +0200 Message-Id: <20200506041741.4730-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/hlsenc: Improve checks for invalid stream mappings X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The mapping of streams to the various variant streams to be created by the HLS muxer is roughly as follows: Space and tab separate variant stream group maps while the entries in each variant stream group map are separated by ','. The parsing process of each variant stream group proceeded as follows: At first the number of occurences of "a:", "v:" and "s:" in each variant stream group is calculated so that one can can allocate an array of streams with this number of entries. Then each entry is checked and the check for stream numbers was deficient: It did check that there is a number beginning after the ":", but it did not check that the number extends until the next "," (or until the end). This means that an invalid variant stream group like v:0_v:1 will not be rejected; the problem is that the variant stream in this example is supposed to have two streams associated with it (because it contains two "v:"), yet only one stream is actually associated with it (because there is no ',' to start a second stream specifier). This discrepancy led to segfaults (null pointer dereferencing) in the rest of the code (when the nonexistent second stream associated to the variant stream was inspected). Furthermore, this commit also removes an instance of using atoi() whose behaviour on a range error is undefined. Fixes ticket #8652. Signed-off-by: Andreas Rheinhardt --- libavformat/hlsenc.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index b269d015d8..5695c6cc95 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1880,7 +1880,7 @@ fail: static int get_nth_codec_stream_index(AVFormatContext *s, enum AVMediaType codec_type, - int stream_id) + int64_t stream_id) { unsigned int stream_index, cnt; if (stream_id < 0 || stream_id > s->nb_streams - 1) @@ -1963,6 +1963,8 @@ static int parse_variant_stream_mapstring(AVFormatContext *s) nb_streams = 0; while (keyval = av_strtok(varstr, ",", &saveptr2)) { + int64_t num; + char *end; varstr = NULL; if (av_strstart(keyval, "language:", &val)) { av_free(vs->language); @@ -2011,10 +2013,12 @@ static int parse_variant_stream_mapstring(AVFormatContext *s) return AVERROR(EINVAL); } - stream_index = -1; - if (av_isdigit(*val)) - stream_index = get_nth_codec_stream_index (s, codec_type, - atoi(val)); + num = strtoll(val, &end, 0); + if (!av_isdigit(*val) || *end != '\0') { + av_log(s, AV_LOG_ERROR, "Invalid stream number: '%s'\n", val); + return AVERROR(EINVAL); + } + stream_index = get_nth_codec_stream_index(s, codec_type, num); if (stream_index >= 0 && nb_streams < vs->nb_streams) { for (i = 0; nb_streams > 0 && i < nb_streams; i++) {