From patchwork Mon Aug 10 01:10:21 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 21573
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id C1FDF44A9B8
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 10 Aug 2020 04:10:40 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9AD7368A9E1;
	Mon, 10 Aug 2020 04:10:40 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ed1-f68.google.com (mail-ed1-f68.google.com
 [209.85.208.68])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 34164689F22
 for <ffmpeg-devel@ffmpeg.org>; Mon, 10 Aug 2020 04:10:34 +0300 (EEST)
Received: by mail-ed1-f68.google.com with SMTP id df16so5186276edb.9
 for <ffmpeg-devel@ffmpeg.org>; Sun, 09 Aug 2020 18:10:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=eY4/Sh3sYYLfadgpW/mkP9JaImpvfa+ZO3R+KDrweCg=;
 b=SowjxuhRg7rz7ozxscYULTP3LRVkypoL3kXccmF3dVzaK/wPTVZ1YfAg0u6T9pVeRO
 J9yP2AFsRcWUEcO0IMLwiXgKN7Rp8doF96pkCKwFK+uOxmnMv7v1afbFQRYizRvf9OeH
 ezsv9/94gJgQVRuhrvkqyrYX+/pt1Zr8SjJNbmQJgvCVjqwDZEtN10f4fH0obrsd6bh3
 1o8+o2zYqSN9wKtS5q/y6NGgvsYFm+dsll4bx/esyzTn2Pp3sB3gBCUT3wgI9sHulrwj
 MHVU6zi2opK76Pk16hzZ/p3LGfiKGTKP1FB/QUKByqViA6g9RivV1ccJvKK7xA+UXWeG
 0icw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=eY4/Sh3sYYLfadgpW/mkP9JaImpvfa+ZO3R+KDrweCg=;
 b=RGE/zjNyJc30mcfrHwfTFPlLFgA/3Y2ksba7KpPIxnPh7oie+ot2IbMoRsBdScwGNQ
 TmzpLVS8wfvT/t5CxGsYgt3QLdd+rSxjvDE4gAqtHjEeHfMnJXuYgamqzybpkWNERukJ
 sM4QXHot3i5QRvHuwOWKKdXifIXt9zfeeeDUgg+co1yI0/N/Ky6BiPQMHFeWUBcQHda4
 PaPEUjfMuy14mBsC43txNCPoaPVhY4mEOKOpQsCuzaTrErvjK4+v7Hri3xiOV3P0JdNR
 Gwq/9TlM5WxkyWCfQuMea/xQnmMrq56XfqyPMuwoinXuU7invtV6eqJIVYiUmKae5dQY
 rkAg==
X-Gm-Message-State: AOAM533k/qrT7Jim3HwQOZ1D0P+uPZQyIPDStZEWNAJWBhFjg4B9sUwa
 cU+p/9aoNzKJKCYYDCkyVKLDR4SR
X-Google-Smtp-Source: 
 ABdhPJyQExHB+RmbuWb0EELezq0mzDskLLyXk4kARGxNxgD/aVbnElyIUl1P3FCkSeEz8X9BhWGx/Q==
X-Received: by 2002:aa7:d948:: with SMTP id l8mr19283693eds.371.1597021833124;
 Sun, 09 Aug 2020 18:10:33 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de.
 [188.193.2.150])
 by smtp.gmail.com with ESMTPSA id qk30sm11706097ejb.125.2020.08.09.18.10.31
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 09 Aug 2020 18:10:32 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 10 Aug 2020 03:10:21 +0200
Message-Id: <20200810011023.17540-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/3] avformat/mlvdec: Check for existence of
	AVIOContext before using it
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

The mlv demuxer supports input split into multiple files; if invalid
data is encountered when parsing one of the subsequent files, that file
is closed. But at this point some index entries belonging to this file
might already have been added. In this case, the read_packet function
might try to use the AVIOContext (which is NULL) to read data which will
of course crash. This commit fixes this.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
As an alternative to patches 1 and 3 one could also just error out if
one of the subsequent files is bad.

 libavformat/mlvdec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 03aed71024..7c7ced7f76 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -411,6 +411,10 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt)
     }
 
     pb = mlv->pb[st->index_entries[index].size];
+    if (!pb) {
+        ret = FFERROR_REDO;
+        goto next_packet;
+    }
     avio_seek(pb, st->index_entries[index].pos, SEEK_SET);
 
     avio_skip(pb, 4); // blockType
@@ -439,12 +443,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt)
     pkt->stream_index = mlv->stream_index;
     pkt->pts = mlv->pts;
 
+    ret = 0;
+next_packet:
     mlv->stream_index++;
     if (mlv->stream_index == avctx->nb_streams) {
         mlv->stream_index = 0;
         mlv->pts++;
     }
-    return 0;
+    return ret;
 }
 
 static int read_seek(AVFormatContext *avctx, int stream_index, int64_t timestamp, int flags)

From patchwork Mon Aug 10 01:10:22 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 21574
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id F30DB44A9B8
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 10 Aug 2020 04:11:00 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DCB0B68ABFA;
	Mon, 10 Aug 2020 04:11:00 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com
 [209.85.208.67])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7976568AB04
 for <ffmpeg-devel@ffmpeg.org>; Mon, 10 Aug 2020 04:10:54 +0300 (EEST)
Received: by mail-ed1-f67.google.com with SMTP id cq28so5021677edb.10
 for <ffmpeg-devel@ffmpeg.org>; Sun, 09 Aug 2020 18:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=6q/T5sBhuilwbvJASymiCVzF6DjHOefdZXgu/2plgtQ=;
 b=fTRdbMNy1w92MQ3+GoncDF707fmilGvdZcEMFF7Dkxj6ffYelX+PqRouFzruDLwxLJ
 G+Wgv93NdPknPSkM5Bpy/tfwUrSOdM601ST3/laCo1Iqj0kc9WZMoUT2DCKyy/Qof/7M
 08J//EOJoNKhtX8R3ndVMf6ApRucCK6xI/aYQ5blRXdoMqI/38v1KogHa7toSs8nYS98
 F4ijva92Da5d+5XM3xubQL8jBXfPfIKek8nEkdPIH79PzDKFZiBtoMmr/1sPoCn9NPJB
 AwSHXAi+y11AswtRDTHkTtZ0/4TFPmZpCV3JQrKNLdVNF6EmQ2SxRyMaA6BhobOotNc8
 GQkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=6q/T5sBhuilwbvJASymiCVzF6DjHOefdZXgu/2plgtQ=;
 b=nESJ5yJDIqGAsibJkX03Y6KPApRwtgSNUU4bvnTOhNwmslEFh4mD+O0wtOoYyQtWa5
 PHGiwonTIq7QlAnF3c4iNeO8/vyGlTNW3ppIHiwC77BeTfuYDF+d46ClXVuKC173kfVl
 /W+GYGJc74WvmKud6Nqm1kn12ENuFvB6u6ZzsfOaPWlxo4feWAFFmKo2ES+iyGFvoWPP
 K5gLANZYd0gFUqVd0XfCp4AQ9fbCJp4cYF/idbrON13uJpA3tE+jAFDMRYBn+TeJ3TXF
 17YbYYtrElizXGBZsibdkOOY+BJE/wn8p3UrnPGX9H0lyCHWEQmfabeBZ03JPIxFF4/X
 IBuA==
X-Gm-Message-State: AOAM531Ay/htIWdUcN+glE+KFUV8PlXm2bz74sCR6rmXDkh37JIWUuGU
 nBcHgmhs+bc9PV/gH6mW7wEz8H5L
X-Google-Smtp-Source: 
 ABdhPJw+0bGRctWPeKo1lhahfrO1/0bf4SpO9OyaggcZdlfPhy58Ms1rcE4TYW5Pr+UHZ3VLOzPaxA==
X-Received: by 2002:a05:6402:8cb:: with SMTP id
 d11mr19543805edz.100.1597021853781;
 Sun, 09 Aug 2020 18:10:53 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de.
 [188.193.2.150])
 by smtp.gmail.com with ESMTPSA id qk30sm11706097ejb.125.2020.08.09.18.10.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 09 Aug 2020 18:10:53 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 10 Aug 2020 03:10:22 +0200
Message-Id: <20200810011023.17540-2-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200810011023.17540-1-andreas.rheinhardt@gmail.com>
References: <20200810011023.17540-1-andreas.rheinhardt@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 2/3] avformat/mlvdec: Don't leak open
	AVIOContexts on error
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/mlvdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 7c7ced7f76..50913fa685 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -52,6 +52,8 @@ typedef struct {
     uint64_t pts;
 } MlvContext;
 
+static int read_close(AVFormatContext *s);
+
 static int probe(const AVProbeData *p)
 {
     if (AV_RL32(p->buf) == MKTAG('M','L','V','I') &&
@@ -376,6 +378,7 @@ static int read_header(AVFormatContext *avctx)
 
     if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) {
         av_log(avctx, AV_LOG_ERROR, "no index entries found\n");
+        read_close(avctx);
         return AVERROR_INVALIDDATA;
     }
 

From patchwork Mon Aug 10 01:10:23 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 21575
Delivered-To: andriy.gelman@gmail.com
Received: by 2002:a25:b51:0:0:0:0:0 with SMTP id 78csp555286ybl;
        Sun, 9 Aug 2020 18:11:09 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJxmkLNFdH7WX1EjnuTXlGY17HwtCX4qKvS/RUV4qUkK/Snbjw+PHYv71XTl2cXT99nySkH5
X-Received: by 2002:adf:efce:: with SMTP id
 i14mr22566068wrp.359.1597021869718;
        Sun, 09 Aug 2020 18:11:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597021869; cv=none;
        d=google.com; s=arc-20160816;
        b=fa925pvoFK8Cq/+aE9B5VK6/iN0hUFp9rmTvSgO+L7/ot4JlxrbPCLupv9IVL5N3f5
         EC/gRJfp/8KU5eiJHRH/3HW7wOT2z1O0rRh6RcjAHbe4e/L+0sOsISJZX5uKkAeQLUvo
         6K2GyvX8nw0qRu7PTD+CR3Jt98r2iRDpbRWUEqnXLaqZshn2kDJJQQ5ZDvs58fZcCIXp
         f9CJWQMYqKF44L6bzhQKgpZLpfJr6JYrsEPZGnPAPR5SUyiLz7dr1eiisckOIdB+Wa+d
         JPsSP7awBWprI1NVGDFh8SxYbAnttqtyjk07UlFbOIZAhHfbkkZ64YdVRetV7V0XPrZw
         D+fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:references:in-reply-to
         :message-id:date:to:from:dkim-signature:delivered-to;
        bh=0HkOcIS8jHyZOjIxG9SlPt1GC7yCFmmifQRN/SQsQL8=;
        b=YlEdKuXJWvZZ9d+Sezkn7ln6R6zsajKt5E1QZY4qLVUQ8EMX963uCgvYjmX0Cw0UkR
         Hg6WxjdiwC9uJCED6L78sSoqOhHtqbglhaRtEb2IiHxmEGACQYsmVTKpksHo2AXzvMvg
         SWzunSxQmaUILPJfo67Hv2o21c3QGktBoQESyIowCyyeVCAmRHgBkLlnUqdN049ped68
         06uNfk8DgXVgbd3YE1vsLKvcJHK5zZh7SuH5MH3xLwBofI1qXNG8MMEd8i4M1quN7O9u
         O/gOm2nHJeXYngMznAmlYW70DiAbVHsF0BWsc4myrXZQsmPE9p0JwdjSaarc0nCQuJZo
         a1qw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20161025 header.b=OwWpdodV;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 129si14327557wmc.161.2020.08.09.18.11.09;
        Sun, 09 Aug 2020 18:11:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20161025 header.b=OwWpdodV;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D76B368ACD0;
	Mon, 10 Aug 2020 04:11:01 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ej1-f66.google.com (mail-ej1-f66.google.com
 [209.85.218.66])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7792768AB21
 for <ffmpeg-devel@ffmpeg.org>; Mon, 10 Aug 2020 04:10:55 +0300 (EEST)
Received: by mail-ej1-f66.google.com with SMTP id l4so7694676ejd.13
 for <ffmpeg-devel@ffmpeg.org>; Sun, 09 Aug 2020 18:10:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=n1wr5b+80DgQTTLbqJOFmWUSCkMfq6erBB1oOudhm8o=;
 b=OwWpdodVKzP3qRDyaEzgr3UBcHpAzqi5AGv2lP0MigHv6G21JymrEwg3O74hl9sojr
 m3bFDAiejJwHdRzYJ04S72NXvlXJTEjcLRYPJkA5TwQzHXa9ucw67r2n0X8AOdww7g1n
 /uUhve5x6AkSfyWSzFZ1H8xd6nJQpDO1cs5FL7CVTcdiKCAF7rhtQEHC735OSHf82kOI
 DQ43GHChJJV+dUk4f1NWVOokMvanau/cHJPQXo496dv5j31L1GLt17mXpMz6nxvdNCvT
 ARBLcaa6XrKv8YOXhs+OnM4TbMYtBgsU3JSBr0gARr/e3bJPUP8PYljSe3GQz5+MA7z5
 OjRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=n1wr5b+80DgQTTLbqJOFmWUSCkMfq6erBB1oOudhm8o=;
 b=UBi9uidg7XYUQHtj/8P1b+QJNeSs9Vgb0xJFxPHxmU3Rcp1ANcxOc4e0+0P4PYypVJ
 nxn9yP6DHCAMVYbOOxbu4e3PjeXkdkJDMVqKbSFbZDpbv79B+c8hlQgC5hNjHggrjGhh
 ThC08duvqJg8Whj8ukzK5/Tz/eYxbqedQg/XKCPlK+5z1GyFMrsUY+E8no7oND3UC0bc
 5BypAisAIqEbB7yfvImKXKQ4ZFiFnPJuxBWuJhJ/d/IfgMDtb1p2gbR1fMO0xefd19Pd
 B54JqoqH57GNOIuV99Vy1d04HkvVk7qvEj13b5lGry4yqZ4wn8EmQZZREyblZL9TIJ0d
 554Q==
X-Gm-Message-State: AOAM532rCHD9ci/EVAmoclJf2XUs9gaFmht+FaFmhfYEmV856HvEut84
 yLhWKkjPC1A2gbSEThDwlG9vSX7c
X-Received: by 2002:a17:906:b2d0:: with SMTP id
 cf16mr19254852ejb.514.1597021854613;
 Sun, 09 Aug 2020 18:10:54 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de.
 [188.193.2.150])
 by smtp.gmail.com with ESMTPSA id qk30sm11706097ejb.125.2020.08.09.18.10.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 09 Aug 2020 18:10:54 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 10 Aug 2020 03:10:23 +0200
Message-Id: <20200810011023.17540-3-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200810011023.17540-1-andreas.rheinhardt@gmail.com>
References: <20200810011023.17540-1-andreas.rheinhardt@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 3/3] avformat/mlvdec: Only store dimensions
	after having validated them
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: +hje6UoUvDWl
Content-Length: 3745

Otherwise it might happen that invalid dimensions are used when reading
a video packet; this might lead to undefined overflow.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/mlvdec.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 50913fa685..f08aabf4e0 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -132,23 +132,25 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f
             break;
         size -= 16;
         if (vst && type == MKTAG('R','A','W','I') && size >= 164) {
-            vst->codecpar->width  = avio_rl16(pb);
-            vst->codecpar->height = avio_rl16(pb);
-            ret = av_image_check_size(vst->codecpar->width, vst->codecpar->height, 0, avctx);
+            unsigned width  = avio_rl16(pb);
+            unsigned height = avio_rl16(pb);
+            unsigned bits_per_coded_sample;
+            ret = av_image_check_size(width, height, 0, avctx);
             if (ret < 0)
                 return ret;
             if (avio_rl32(pb) != 1)
                 avpriv_request_sample(avctx, "raw api version");
             avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
-            vst->codecpar->bits_per_coded_sample = avio_rl32(pb);
-            if (vst->codecpar->bits_per_coded_sample < 0 ||
-                vst->codecpar->bits_per_coded_sample > (INT_MAX - 7) / (vst->codecpar->width * vst->codecpar->height)) {
+            bits_per_coded_sample = avio_rl32(pb);
+            if (bits_per_coded_sample > (INT_MAX - 7) / (width * height)) {
                 av_log(avctx, AV_LOG_ERROR,
-                       "invalid bits_per_coded_sample %d (size: %dx%d)\n",
-                       vst->codecpar->bits_per_coded_sample,
-                       vst->codecpar->width, vst->codecpar->height);
+                       "invalid bits_per_coded_sample %u (size: %ux%u)\n",
+                       bits_per_coded_sample, width, height);
                 return AVERROR_INVALIDDATA;
             }
+            vst->codecpar->width  = width;
+            vst->codecpar->height = height;
+            vst->codecpar->bits_per_coded_sample = bits_per_coded_sample;
             avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias
             if (avio_rl32(pb) != 0x2010100) /* RGGB */
                 avpriv_request_sample(avctx, "cfa_pattern");