From patchwork Mon Dec 20 19:53:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyan Doshi X-Patchwork-Id: 32771 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:cd86:0:0:0:0:0 with SMTP id d128csp4704679iog; Mon, 20 Dec 2021 11:53:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJyxip/nn6wjrg1WKYVo2sEYPUSQnf2E/qbDoErTbAZmNGQdxF4cAuZ3THwkk5xWRYFX7cPU X-Received: by 2002:a17:907:a406:: with SMTP id sg6mr7737396ejc.171.1640030030767; Mon, 20 Dec 2021 11:53:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1640030030; cv=none; d=google.com; s=arc-20160816; b=V065HODAvG0WUO6m+e9gNZIXGetmzdkfM7wPkFKhTMmnydvTuubo/USw+q7Yi2WtFZ yQYHk1G1bnwFO5z7qxWHzMQ4xUHxhzbT5FTJL7AHPr3OFHKW254vK9T2BTOveksQImRq 4VoQSu3eRD2n0UCN3iSCJO4ox0jWGgQtXaXgu6H2ovI0hNsKSKLA7jm7IDC5OKK+izrt IBUJzKdBtL2bSBA/Kw3j7nm5NgiBolAGubYryYBRe1fDhwXlVv9MBYUsKBObbogA7PyW UMpFuMvN4+FlR2zKQF+AAgM6fkGCWmFD4HLUYxk3GaFWXT6tfoINeXR69AJp7azpTL3/ 1gyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :delivered-to; bh=8BE9GP8Updf6dG23tjy8bcGAzqCdEokyDgY5A6/qP0Y=; b=V0O/ppE3xzfpkCAXWMp9EiggzeFeh0VmjWaquDDPpmgAIRfw9q4k8MMaWOY6rWIa06 viBNUVL4b0J+ymE2tV1agyt4HY9lB/uG8fpRxqAOO5+2Z8wMXtG4MtUdcoWYmi07SCmO h6lv/oRIUhr73Xxdra6j8W4XO3SB4ydO9+kz2cKipqZdUN4Cwi6barmJyILpdAzqfoxl lQtNEUoGlH/QTUnZf/oFkK3bnxVXkqSmcb0xKF5W2HGWGOEu7n/GxswxoO3wNRy7D5AE NaQydV8lNpxAhhm+PO6juBLYAz1ayyEh6cC7XIdH71nkODvdEky7WYlAdr2Ll4Uk4tWj W8zA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id hb43si12951108ejc.159.2021.12.20.11.53.50; Mon, 20 Dec 2021 11:53:50 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 91FA668AFF8; Mon, 20 Dec 2021 21:53:47 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [80.241.56.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D643D68AE5A for ; Mon, 20 Dec 2021 21:53:40 +0200 (EET) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4JHqyr07YTzQkyr for ; Mon, 20 Dec 2021 20:53:40 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de From: Gyan Doshi To: ffmpeg-devel@ffmpeg.org Date: Tue, 21 Dec 2021 01:23:09 +0530 Message-Id: <20211220195310.5633-1-ffmpeg@gyani.pro> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/mov: abort reading truncated stts X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: K9AcEjtLcsbi Avoids overreading the box and ingesting absurd values into stts_data --- Fixes prolonged demuxing for fuzzer-generated files in the loop added in patch for max_stts_delta libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2aed6e80ef..8d88119b29 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2935,6 +2935,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if (atom.size < 8 + entries*8) { + av_log(c->fc, AV_LOG_ERROR, "Truncated STTS box for st %d.\n", c->fc->nb_streams-1); + return AVERROR_INVALIDDATA; + } + av_log(c->fc, AV_LOG_TRACE, "track[%u].stts.entries = %u\n", c->fc->nb_streams-1, entries);