From patchwork Tue Sep 14 18:46:32 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Jorge Dato <nicolas.dato@gmail.com>
X-Patchwork-Id: 30248
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp5261027iov;
        Tue, 14 Sep 2021 11:46:57 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyLbnh3pXai6R+hR4rnp0WcXvd+oM2nQxKOLJv6QP2KBpWFYIioIfpyR6pkgh4uWvxD4F1y
X-Received: by 2002:a05:6402:389:: with SMTP id
 o9mr20426845edv.213.1631645217035;
        Tue, 14 Sep 2021 11:46:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631645217; cv=none;
        d=google.com; s=arc-20160816;
        b=fv/J1U+hQEFTB7ZE4ldJ/ZdJMGYRD9KU0JPDzFZC3UTcyTldLJyKSDg1UCt6LtyXCI
         zchV0P6MXyR99/PfmfJm17Ckuojo/u4FY0gdkdZTaS3znAV4wow/iCtmSyl+OR7rI8q2
         mZYkkafJwwKtrtXFRkQYCJHOFq5+Vaonk6mDkSZ4PfqeR1sksRMRztAWPHYlgjwYb72H
         J03ZxT2Dc43HvggQO7iJls4rJWZkdxIvLldQS+e0bFL5eaK1rCxcBI4MPQ1O8fm371Dl
         3Dc29qg8vZjBibrgM2gOMrUazxgRAiUU85vcw4zC9hJMYYFvIF6Bf2f00odreK6paCVr
         RWcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:message-id:date:to:from
         :dkim-signature:delivered-to;
        bh=TtIoQSNXxu5+L6kUX2+t1J1xwarEOxrf3bWfKBXX2Uo=;
        b=NnzUGR3xcyYJa2gEyR+vMZzADywIe+0dpPHsFi2ktyWbFA8l/9QnKTuM8RjPR5wZRQ
         q10ZqUjgHLw0rh03RewIVw5aoOEPzFc13rvjJdgNQ5nzq4NOdN1InrSEUp8QRkPXa7NE
         8YNJfYJjvue95OfT/FAkv0YdUazCnEtlieRA28fgeouuNVy4QfGt2cfdidw8WgQkzUNr
         pG85xTK0o98lVlPNyxfYkcsF+YWj2I0DZVA8BK7imQgT/8qSNPPcB765Zq2MQmdByI7X
         aucX69o80g8Rz2LrNfh1BzC+cKeK7eMyVNUA5Va4mEzve5Ek4Ayw+uBMn6/KPzokn2mh
         4dBA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=ZQapxbTi;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 b10si14230079ejj.295.2021.09.14.11.46.55;
        Tue, 14 Sep 2021 11:46:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=ZQapxbTi;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 26D8C68AE5B;
	Tue, 14 Sep 2021 21:46:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com
 [209.85.222.175])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AC2D168AE5B
 for <ffmpeg-devel@ffmpeg.org>; Tue, 14 Sep 2021 21:46:45 +0300 (EEST)
Received: by mail-qk1-f175.google.com with SMTP id a66so557237qkc.1
 for <ffmpeg-devel@ffmpeg.org>; Tue, 14 Sep 2021 11:46:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=1aToypnhK8SxeorgvOY50nRp4o1ouOOKIZ8nyKOYCqc=;
 b=ZQapxbTi3kPGj6qh2EQf9GSUua9IG/LpshxKIn+s9dXIMyHxwnom8sgr2chbGrM2jg
 gGj6xmALWI4BfmGaQ+ujLS6gq/hw2R87VHyW3KpVq80FQXEyfytu75UTtsGpQrKWm7Ex
 FTnENzNlUGEqAAD9jx7TKRwdfqC/o1v7/1LeXF15Xfla+iWXNG8CQ/hziUIIWft/Vp73
 cMSHfRHpkCLPdEyKu+qG/WlW4hC6imO5ZeIqY62Riz1x6iXoyhlgMDnCehGW9h0ZeTZq
 CVcVupaKwbl1LnY/+6UiPxgg2KqhvXKmNoJXrtaDkCKXudeYBf6MkHJEVoqn5EtF2TJp
 C8ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=1aToypnhK8SxeorgvOY50nRp4o1ouOOKIZ8nyKOYCqc=;
 b=V7bj7zdinNqH3YbcA7t9DwGI9Q00qFPv1BOeriUvfOLAvXObkhssqRCkzuhMVeZoTw
 6PrlyMkGP7xo/WfRvp87TtF7/CBabMxhIGi9pYObP/zbkO0NJ9y0n82Hj56XRa935H1B
 xy/NsFLvl/PKq0rnp2CSBr6JiTROltbiwpwxSgjT3+bDwuni4I4K77AYUCx6PARaYJWR
 qdlUZ2Zxsaabj23lspjNInVNLnrRQrhse6Xs6se5i5Vs0JQ+nLb0tQrfILarewqQUcpd
 XjBT0dgUQipOOtWSHGRzqzotZoO6dpTcgk+gB09baaKqH0Rlv1x66mVfou2hyDHfHsAG
 CpEA==
X-Gm-Message-State: AOAM533R0FnZHj2ciNKuwNxQ3xBh66riwhq517XvegEUuwP03NFeLoEr
 qAr00HfrhyT15Cao7Vggk/dWmqQ2kkQ=
X-Received: by 2002:a05:620a:2045:: with SMTP id
 d5mr6261972qka.281.1631645204112;
 Tue, 14 Sep 2021 11:46:44 -0700 (PDT)
Received: from localhost.localdomain ([190.246.222.136])
 by smtp.gmail.com with ESMTPSA id c72sm8039698qkg.5.2021.09.14.11.46.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 14 Sep 2021 11:46:43 -0700 (PDT)
From: Nicolas Jorge Dato <nicolas.dato@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 14 Sep 2021 15:46:32 -0300
Message-Id: <20210914184632.12637-1-nicolas.dato@gmail.com>
X-Mailer: git-send-email 2.33.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v2] avformat/mpegts: fixes overflow handlign
 when parsing the PMT
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Nicolas Jorge Dato <nicolas.dato@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: euh9/YM3OlpT

When an possible overflow was detected, there was a break to exit the while loop.
However, it should have already substracted 2 bytes from program_info_length (descriptor ID + length).
Ticket #9422
---
 libavformat/mpegts.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index fe89d4fb9f..f4e95d21fd 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -2346,10 +2346,11 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len
 
         av_log(ts->stream, AV_LOG_TRACE, "program tag: 0x%02x len=%d\n", tag, len);
 
-        if (len > program_info_length - 2)
+        program_info_length -= 2;
+        if (len > program_info_length)
             // something else is broken, exit the program_descriptors_loop
             break;
-        program_info_length -= len + 2;
+        program_info_length -= len;
         if (tag == IOD_DESCRIPTOR) {
             get8(&p, p_end); // scope
             get8(&p, p_end); // label