From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 391594A620
	for <ffmpegdev@gitmailbox.com>; Tue,  2 Apr 2024 02:29:54 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id ED28A68BDE1;
	Tue,  2 Apr 2024 05:29:52 +0300 (EEST)
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 28BAE68BDE1
 for <ffmpeg-devel@ffmpeg.org>; Tue,  2 Apr 2024 05:29:46 +0300 (EEST)
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-5e4f312a995so2321343a12.2
 for <ffmpeg-devel@ffmpeg.org>; Mon, 01 Apr 2024 19:29:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712024984; x=1712629784;
 h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
 :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=lvRbwNSJLGpIwoT1pRnjepaHAy6CXfp7PyWu6Y/nWfw=;
 b=u7f/5vBEcG6liw9+PoERVvZ8qAGqtqvKXKmpvuueCxKQjVymVBe2lIx3EVx2j7EUHK
 tRR1LNjBDnlF6073YjeMirG6W1OQI5YDVjjDGOpUIOSE8Bn7Yk6AFezy4cy4qqY/pSoH
 lNcSVXJxXqPKkl+iPVRP7vAV+hTU2pZ4NG5vFpP6GDhwmyk2+AZVNwYTXquG7hGaDjai
 qnW5JCmMmGgAv1f+7uakDZFt84zUES2iBc6OXMikZykv+YPuZZ9ua00oSQLVgI1nmxtC
 6DrAVzA+eKP6re9t4x/fh+SgCCcp//DVp9wQw7x0SkqEdNV2CW9tDkBORSUXp15S/GIE
 O82Q==
X-Gm-Message-State: AOJu0Yy/yrqMii74IrT5kZYkwffdt5yVGnUyALac9FvW0N0Zqy2hdAqZ
 XHwdHnC1BZ61lLou0w4Sy1+dnMCvirlF1C8X0kkeDyOLKSKjfGK4aoKHYoMLUMcsjx2I3QW0IDJ
 FcUDtu3MUukdL2IbIdAgfn/ZYMONTUHlIG4WoA7HL65JpyF66h8CQQ2OEnQKjffY3AHGsZiBjpT
 jXRX+iT5m37Vd1Kf1oNkUofR9C3P3+Rbk8odMH5s4/MHU=
X-Google-Smtp-Source: AGHT+IG1JFeHohoMT7zeygRi9sSZxcLnl8gExn05Mg1e4KDvQFgtq6Ckqrkl6EmHYk8ux3lvLCaXrKZV7JSRwg==
X-Received: from ez-linux.bve.corp.google.com
 ([2620:15c:7d:6:e80c:319b:f389:8bbf])
 (user=ezemtsov job=sendgmr) by 2002:a17:902:e751:b0:1e2:3051:8194 with SMTP
 id p17-20020a170902e75100b001e230518194mr1006734plf.11.1712024983548; Mon, 01
 Apr 2024 19:29:43 -0700 (PDT)
Date: Mon,  1 Apr 2024 19:28:03 -0700
In-Reply-To: <20240402022928.585868-1-ezemtsov@google.com>
Mime-Version: 1.0
References: <6ba08b58-2831-4e9b-8f22-1812d2e59a84@gmail.com>
 <20240402022928.585868-1-ezemtsov@google.com>
X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog
Message-ID: <20240402022928.585868-2-ezemtsov@google.com>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH] mov demuxer: Check if a key is longer than
 the atom containing it
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
From: Eugene Zemtsov via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Eugene Zemtsov <ezemtsov@google.com>, eugene@chromium.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240402022928.585868-2-ezemtsov@google.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

From: Eugene Zemtsov <eugene@chromium.org>

Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.

Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
---
 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 662301bf67..2d92e7963b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5048,12 +5048,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     for (i = 1; i <= count; ++i) {
         uint32_t key_size = avio_rb32(pb);
         uint32_t type = avio_rl32(pb);
-        if (key_size < 8) {
+        if (key_size < 8 || key_size > atom.size) {
             av_log(c->fc, AV_LOG_ERROR,
                    "The key# %"PRIu32" in meta has invalid size:"
                    "%"PRIu32"\n", i, key_size);
             return AVERROR_INVALIDDATA;
         }
+        atom.size -= key_size;
         key_size -= 8;
         if (type != MKTAG('m','d','t','a')) {
             avio_skip(pb, key_size);
-- 
2.44.0.478.gd926399ef9-goog

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".