From patchwork Tue Sep 14 18:32:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Jorge Dato X-Patchwork-Id: 30247 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp5250601iov; Tue, 14 Sep 2021 11:33:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx2DkXhH6TRGe3TrWmp8qBNNAuXAgWDTS3c1SlTU37vAUNO2NP8ri9x06kA5PDO6is2R6GY X-Received: by 2002:a17:906:138a:: with SMTP id f10mr20013449ejc.89.1631644386141; Tue, 14 Sep 2021 11:33:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631644386; cv=none; d=google.com; s=arc-20160816; b=KgaFyhgquZjfsQwuotxDps7boLAMSQ/mqXdI4p7mikUY4aCul4Rh7AH9hilv9xkyEi 5PdXK7IFIIfd5rW5wGvq6lKllwqd6/iLF8GdpS+6K1cXD7Yul3DT6z24jN4cSMed7XvL ixVAgrA598NEm4TtB2X28NaKp2tDSdCpRYx414jDyZFn1W0lb8fn7CQU/Nl35eQAcMud QVBjMhJq3ibYLHeiRVePOKKPXt2ayYIdzURhX7LDC4m5zP9vgDQGCUu9b/5UObrHc4Fj IDBQaykHTI/2zRq//vsNT/pKlQgSGJKSiJ0PHiYkohIUNyMvbzje5ZUa0BKxF+lPHM8b iQmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=s/8CmcSqfjw/4ZEBuIzC/4vp4n7gyorhEqSeMePHeNw=; b=YiPyuqK2C6Bmu2wb99GG+llZmTQeWCkLZjFje0xQp7CfIJDxtgehm57c7D8H5S/LkM CTuewA18U+bwE6ctAFpddYjNSv4knwG89OFHlmnk/loTF1VlW0NggDthQIuUQa5J2cfK z/aAI1100zmObmLbWkfgpjBrxYQWe5tKAw4sUYmW9Z33MNyg6EcAiHCpKyPL4udXDXOK AByJHuh/6vc+tWQy1GQHVZQ5GF95X6tgc22/WETZ4OFxGB+So5q7oaFnZ8bfdkBwD3G5 wRhawDeUSe6Aqj39Ag/LZcB84Thc6S1JNrm2wc+y0wIXV6wL5ckhbpOi92UgCpG6FR5t Jrnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=lc6K+iHT; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id s2si2342418edy.454.2021.09.14.11.33.04; Tue, 14 Sep 2021 11:33:06 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=lc6K+iHT; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B261268AF2C; Tue, 14 Sep 2021 21:33:00 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CFA5F68AC45 for ; Tue, 14 Sep 2021 21:32:53 +0300 (EEST) Received: by mail-qk1-f180.google.com with SMTP id 22so487951qkg.2 for ; Tue, 14 Sep 2021 11:32:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qGg3LiIUK5wysvtyqTjzGxgpG/YSa2U7jMEWE7Vc6/s=; b=lc6K+iHT+kk/enRTGGVuqGSfTHW5KiakTmSGGxJbhtdXQHmuyRTnwMhwVpuLuUJqxC OxxGglEDoLPK1NJfOTi2H3iTeeLzQF36X9057lqXRQAwbobK9WmXH0HrrsLVbyiSMIRB T7s+NO4PZbNlH/JYSpeOTm40I8+RqmYSOGBME7uoi5EpQmi+4picWSXgU9SVmdBz5b/O VTG60Sz0KOkTPbyqny5iC+kSAViBzT3SW/P1UXO36rkq2YuLx4xfadG3XklKzhPTuP5o 7JYs25XQjhjM9mvJ6d3VfQSV7llfT1xWRCqNWsHxvqoUKqxJl8KEZMysJHAzZU9wrcjz BqsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qGg3LiIUK5wysvtyqTjzGxgpG/YSa2U7jMEWE7Vc6/s=; b=LTTcGhZjuk03b9qKNh9NS12ufdlSHma4xzck0JNVz1OzhmNMTn2sUlpeonz74Ioy7J SFrAhbTKn7VLces49zMQaZMW2BYSe0UtPCqoJ665Qr22/nKsWxsT1XX5bGkl+204Xl0q N6fJLwlQq+7PIsjGX6sPXqay9waYtr5xzHKUlB5cVtdyXZRfrAre8+I+R21EBX1WAVKI tuAmJ8b4/nGkDfTOSuQ//nFbd72Qv6AUWo9QXrJ8QbtHBGT/WVBzX5eCjQ20j5agyigi 6U+Jf0+WyZmMMYULG6BV2PXs44Hiwxv3bUHM0kBVUfvRFbFKVihXMp7h31Wl7eG00eLP q34A== X-Gm-Message-State: AOAM532BRT5txAWKturUQZHZgP0FKUoQamQ2bxKYReLVAjAlDBROUPkg AxA5atNQEYux8hKKz4PNmwefadKvHKg= X-Received: by 2002:a37:f616:: with SMTP id y22mr6349344qkj.520.1631644371971; Tue, 14 Sep 2021 11:32:51 -0700 (PDT) Received: from localhost.localdomain ([190.246.222.136]) by smtp.gmail.com with ESMTPSA id p123sm8414236qke.94.2021.09.14.11.32.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Sep 2021 11:32:51 -0700 (PDT) From: Nicolas Jorge Dato To: ffmpeg-devel@ffmpeg.org Date: Tue, 14 Sep 2021 15:32:27 -0300 Message-Id: <20210914183227.9924-1-nicolas.dato@gmail.com> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] Fixes overflow in libavformat/mpegts.c when parsing the PMT, ticket #9422. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Nicolas Jorge Dato Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 8lgbmfDdvbby When an possible overflow was detected, there was a break to exit the while loop. However, it should have already substracted 2 bytes from program_info_length (descri^Cor ID + length). --- libavformat/mpegts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index fe89d4fb9f..f4e95d21fd 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2346,10 +2346,11 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len av_log(ts->stream, AV_LOG_TRACE, "program tag: 0x%02x len=%d\n", tag, len); - if (len > program_info_length - 2) + program_info_length -= 2; + if (len > program_info_length) // something else is broken, exit the program_descriptors_loop break; - program_info_length -= len + 2; + program_info_length -= len; if (tag == IOD_DESCRIPTOR) { get8(&p, p_end); // scope get8(&p, p_end); // label