[FFmpeg-devel] [PATCH] avformat/avidec: Prevent entity expansion attacks

[FFmpeg-devel] [PATCH] avformat/avidec: Prevent entity expansion attacks

[Michael Niedermayer]

Fixes: Timeout
Fixes no testcase, this is the same idea as similar attacks against XML parsers

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/avidec.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 937d9e6ffb..910a4e8792 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -82,6 +82,8 @@ typedef struct AVIContext {
     int stream_index;
     DVDemuxContext *dv_demux;
     int odml_depth;
+    int64_t odml_read;
+    int64_t odml_max_pos;
     int use_odml;
 #define MAX_ODML_DEPTH 1000
     int64_t dts_max;
@@ -200,7 +202,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
     st  = s->streams[stream_id];
     ast = st->priv_data;
 
-    if (index_sub_type)
+    if (index_sub_type || entries_in_use < 0)
         return AVERROR_INVALIDDATA;
 
     avio_rl32(pb);
@@ -221,11 +223,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
     }
 
     for (i = 0; i < entries_in_use; i++) {
+        avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb));
+
+        // If we read more than there are bytes then we must have been reading something twice
+        if (avi->odml_read > avi->odml_max_pos)
+            return AVERROR_INVALIDDATA;
+
         if (index_type) {
             int64_t pos = avio_rl32(pb) + base - 8;
             int len     = avio_rl32(pb);
             int key     = len >= 0;
             len &= 0x7FFFFFFF;
+            avi->odml_read += 8;
 
             av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len);
 
@@ -244,6 +253,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num)
             int64_t offset, pos;
             int duration;
             int ret;
+            avi->odml_read += 16;
 
             offset = avio_rl64(pb);
             avio_rl32(pb);       /* size */
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] avformat/avidec: Prevent entity expansion attacks

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 515 bytes --]

On Thu, Aug 18, 2022 at 12:32:57AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes no testcase, this is the same idea as similar attacks against XML parsers
> 
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/avidec.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".