[FFmpeg-devel] [PATCH v3 1/2] avformat/mov: add validate_box_size

[FFmpeg-devel] [PATCH v3 1/2] avformat/mov: add validate_box_size

[Gyan Doshi]

Helper function to check if stored box size is correct and looks
to be fully available.
---
 libavformat/mov.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2aed6e80ef..e223e95e2e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -80,6 +80,39 @@ static int mov_read_mfra(MOVContext *c, AVIOContext *f);
 static int64_t add_ctts_entry(MOVCtts** ctts_data, unsigned int* ctts_count, unsigned int* allocated_size,
                               int count, int duration);
 
+/**  Check if the box size meets the requirements passed in limit and constraint_type.
+ *   If input avio_size is valid, it checks if box size appears to be available.
+ *
+ *   constraint_type may be
+ *   0  if the box size has to be exactly equal to limit
+ *  -1  if the box size has to be at most limit
+ *   1  if the box size has to be at least limit
+ *
+ *   Returns 0 if size meets requirements.
+ */
+static int validate_box_size(MOVContext *c, MOVAtom atom, AVIOContext *pb,
+                             int64_t pos, int64_t limit, int constraint_type)
+{
+    int size_fit;
+    int64_t input_size = avio_size(pb);
+
+    if (input_size > 0 &&
+        input_size - pos < atom.size) {
+        av_log(c->fc, AV_LOG_ERROR, "Box %s is truncated\n", av_fourcc2str(atom.type));
+        return AVERROR_INVALIDDATA;
+    }
+
+    av_assert0(FFABS(constraint_type) <= 1);
+
+    switch(constraint_type) {
+    case  0: size_fit = atom.size == limit; break;
+    case -1: size_fit = atom.size <= limit; break;
+    case  1: size_fit = atom.size >= limit; break;
+    }
+
+   return !size_fit;
+}
+
 static int mov_metadata_track_or_disc_number(MOVContext *c, AVIOContext *pb,
                                              unsigned len, const char *key)
 {
-- 
2.33.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH v3 2/2] avformat/mov: validate box size for stts

[Gyan Doshi]

---
 libavformat/mov.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index e223e95e2e..71404ba07a 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2968,6 +2968,12 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     avio_rb24(pb); /* flags */
     entries = avio_rb32(pb);
 
+    if (validate_box_size(c, atom, pb, avio_tell(pb)-8, 8+(int64_t)entries*8, 1)) {
+        av_log(c->fc, AV_LOG_ERROR, "Invalid or incomplete %s box in stream %d\n",
+               av_fourcc2str(atom.type), c->fc->nb_streams-1);
+       return AVERROR_INVALIDDATA;
+    }
+
     av_log(c->fc, AV_LOG_TRACE, "track[%u].stts.entries = %u\n",
             c->fc->nb_streams-1, entries);
 
-- 
2.33.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".