From patchwork Wed Dec 22 12:47:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyan Doshi X-Patchwork-Id: 32835 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:cd86:0:0:0:0:0 with SMTP id d128csp6344082iog; Wed, 22 Dec 2021 04:48:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJxtpm75QTI+SKXXHanULFJDUXID4NrlV/DeEv5TIiVmApxN+w3r4RasfsYX6GXJFiz3VA4u X-Received: by 2002:a05:6402:2809:: with SMTP id h9mr2722559ede.139.1640177288591; Wed, 22 Dec 2021 04:48:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1640177288; cv=none; d=google.com; s=arc-20160816; b=jXOqaio6QiTxeA/T4H+rBvn+CGC4XvMPIaBycdEIgsYp88bHSYQXif+Hoi9M7FQ8jf JYmL50GFonBmrz0qBEy9iW7shW0mKcmbVWin3l3Tqs0S8LA/raMHWlrhXRF/s3xxRKdq a9ug4cvfn1YyWVk5ZXo8eYpbRVeUWiKLREjOXHHaQfovqHFRYYfBS14IE0OYLLwMSrU/ EblHNbChzTyOAQzUJ6zvTgZrv6OS52badtsi+i2q257hq9Ku2FnPyBCrBbuXIx06VpB2 HZlNlZF92+c6fUgfc3iPTay1Zkj8vQN9LIWnvgU65utAGTO63MT55GG1nJ59tPC92Z2a qj5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:delivered-to; bh=Y6uscS3Vw6wo7zEghNAF0MSV4A0kdsrRWP5GczyawSA=; b=fyA7Za5SeaXgaHBpFx8PEJ9vu/aU38ccrjqmlNJTKWWX4TuXRwpp0Kj5Ybsb8P+f2y 71+AtKvGb8jTgYqB1RQIVFWKbblzecaN+ncego8nueARIjWAmwnhvCqnVNoqNgg1qe+T JEZco7CT524mN5wCe+9WoIt1JwAEIcvQUx81M0asrC69pUSlflhtq58G0kxWeJbava2d VdHXp31VZIgkezQ4TSG6DeVAjXottCaF6qaekSOaIgllQDQb1NKc0e9Fxq9hKnDkx+P8 kpzEN536gigwxjfqK0BJ5GH+plwFoiFNTvMfe9erjebaqMta00ZWvEfc3Xu1WE51ELsa Ng9A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id p7si845981ejb.397.2021.12.22.04.48.07; Wed, 22 Dec 2021 04:48:08 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C75FE68B050; Wed, 22 Dec 2021 14:48:04 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3D2E668A59F for ; Wed, 22 Dec 2021 14:47:58 +0200 (EET) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4JJtQj39wKzQk3W for ; Wed, 22 Dec 2021 13:47:57 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de From: Gyan Doshi To: ffmpeg-devel@ffmpeg.org Date: Wed, 22 Dec 2021 18:17:27 +0530 Message-Id: <20211222124728.7300-1-ffmpeg@gyani.pro> In-Reply-To: References: MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2 1/2] avformat/mov: add validate_box_size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: USLZXiLnSNCZ Helper function to check if stored box size is correct and looks to be fully available. --- libavformat/mov.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2aed6e80ef..7de95b7ab0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -80,6 +80,40 @@ static int mov_read_mfra(MOVContext *c, AVIOContext *f); static int64_t add_ctts_entry(MOVCtts** ctts_data, unsigned int* ctts_count, unsigned int* allocated_size, int count, int duration); +/** Check if the box size meets the requirements passed in limit and constraint_type. + * If input avio_size is valid, it checks if box size appears to be available. + * + * constraint_type may be + * 0 if the box size has to be exactly equal to limit + * -1 if the box size has to be at most limit + * 1 if the box size has to be at least limit + * + * Returns 0 if size meets requirements. + */ +static int validate_box_size(MOVContext *c, MOVAtom atom, AVIOContext *pb, + int64_t pos, int64_t limit, int constraint_type) +{ + int size_fit; + int64_t input_size = avio_size(pb); + + if (input_size > 0 && + input_size - pos < atom.size) { + av_log(c->fc, AV_LOG_ERROR, "Box %s is truncated\n", av_fourcc2str(atom.type)); + return AVERROR_INVALIDDATA; + } + + if (FFABS(constraint_type) > 1) + return AVERROR_BUG; + + switch(constraint_type) { + case 0: size_fit = atom.size == limit; break; + case -1: size_fit = atom.size <= limit; break; + case 1: size_fit = atom.size >= limit; break; + } + + return !size_fit; +} + static int mov_metadata_track_or_disc_number(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { From patchwork Wed Dec 22 12:47:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyan Doshi X-Patchwork-Id: 32836 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:cd86:0:0:0:0:0 with SMTP id d128csp6344156iog; Wed, 22 Dec 2021 04:48:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJzxlGdKI6nv/CGJaGkNqZFQEhCmUK2xOfTkSeQ51MFQ2TkhLzalysKscvejDqTqfV8JM8Th X-Received: by 2002:a05:6402:cbb:: with SMTP id cn27mr2767648edb.54.1640177297386; Wed, 22 Dec 2021 04:48:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1640177297; cv=none; d=google.com; s=arc-20160816; b=jZ26zaOVKCk5uIYI9DR9AnjgkWVK7rbPyiePggICRtaeXnhT9qBeJJ+UaBXlWBOFGA 3lmDi6rwF6AjZjloK/24bhJS8FiFXkxH3+2JzFmDhVmUr2N7Gas5KXO8Sbd0ehhaHU34 l6eojCLj44VtAl+52guhRFUEzKvav34Y8jkEUTL+d0EsHyPm1I4SmHHCZ4VAhrnpCUeA dSlFh7iU0lD1Xx99L5v3AJnMV9jBVxwvDK6Ixmtheg30d/DjhjYK3KbUdub/ePbwdxWE wdg5pz6htsQc8TRJDWBRiNgT2U5CSnLW4gJVDsphTnFyIaM6143IU99s8laI//tqWesd e7FA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:delivered-to; bh=pGNcnI7OiGJvk9euedPlMza9cNYzaK3ceu3x1W+n1Ow=; b=bR2o1r0zNtdQqZmWl6vUDH/ev0w3c6UX/7xPe0PbHDcfjNfiKKGzhZe5wG+bZpIt42 QexAHL+kpLinxZNzAOKg5GGqSdv5YGdxXIFdMbvgx+/kK+dfwA0eRXfuXxOKgUe7CxdP zIf6MLmN9Vj8/hYmQVftvD4SEvTI1Vha+eVzjBHv50aoMVqzsEodJuKibm28+NbP63Cp ToYWAUNLodzPsVUDu7vNkwQcflvFx1GfNdKkgoiH+5m47NjPNgwbG4v3yfcevyr4m2Z1 k1LBWDThSuixVBo6Gqe67N1ud/wui8LGvGA01ArwOmgfNQCTxwQW/NYTufdGX0tSl5lx +PJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id cc13si952582edb.395.2021.12.22.04.48.17; Wed, 22 Dec 2021 04:48:17 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EC74B68B058; Wed, 22 Dec 2021 14:48:05 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0E03968A59F for ; Wed, 22 Dec 2021 14:47:59 +0200 (EET) Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4JJtQk2nHHzQkm3 for ; Wed, 22 Dec 2021 13:47:58 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de From: Gyan Doshi To: ffmpeg-devel@ffmpeg.org Date: Wed, 22 Dec 2021 18:17:28 +0530 Message-Id: <20211222124728.7300-2-ffmpeg@gyani.pro> In-Reply-To: <20211222124728.7300-1-ffmpeg@gyani.pro> References: <20211222124728.7300-1-ffmpeg@gyani.pro> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2 2/2] avformat/mov: validate box size for stts X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: iTSnQCSer//3 --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7de95b7ab0..1e44c74944 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2969,6 +2969,12 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if (validate_box_size(c, atom, pb, avio_tell(pb)-8, 8+(int64_t)entries*8, 0)) { + av_log(c->fc, AV_LOG_ERROR, "Invalid or incomplete %s box in stream %d\n", + av_fourcc2str(atom.type), c->fc->nb_streams-1); + return AVERROR_INVALIDDATA; + } + av_log(c->fc, AV_LOG_TRACE, "track[%u].stts.entries = %u\n", c->fc->nb_streams-1, entries);