From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id D77E94AD0C
	for <ffmpegdev@gitmailbox.com>; Mon, 20 May 2024 01:42:43 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5061E68C3F6;
	Mon, 20 May 2024 04:42:40 +0300 (EEST)
Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com
 [209.85.167.177])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0154468CD5C
 for <ffmpeg-devel@ffmpeg.org>; Mon, 20 May 2024 04:42:33 +0300 (EEST)
Received: by mail-oi1-f177.google.com with SMTP id
 5614622812f47-3c74b27179dso2141198b6e.1
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 May 2024 18:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716169351; x=1716774151; darn=ffmpeg.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=syokRZgMMOZYHynKG+Xb4X54LGbHX0JiOcC76/II7Vo=;
 b=brRoYvOq5iFzDRSNJFcHPPWSeJqXEDTzZQLezaSuHRjD41Nh598Hxj3pGbdbECWbzs
 tbBqjmRhdNnzUy+gAdMavNJf0lD5a8cKkNPQdoPCMsHw+9A1dR2F3GBjG7t7lkJpmzKW
 d+oFViVf2di2w6UMr1c3i/DjHcgWS7Fj1NeWLCcwMIyLMxjCLLJCdGwudNtCGEfVEm3d
 /1D2EFqpdG8egd8c312vwjjEY6zAm0zaMRB+TE5HNRBX4TN9lbPXK1n23Tn741mkmpAV
 iy2ZoWx4hPKFdLuhGMaqjbFzPTO6otXzCXJrtcWP/ZNPLGIpK6+5Diirixw4IP3cmjB9
 FScA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716169351; x=1716774151;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=syokRZgMMOZYHynKG+Xb4X54LGbHX0JiOcC76/II7Vo=;
 b=bpSAQptXcOfvVuiiHInpR6tD7K0ZbUzzYfnhqPmeMRZJ0zknJx8CsiVs/NAiVgbV8G
 kjXJ3MG12/yeirzwoTb29JaEg5ojQxL3Ek7mmeKks87wM85CdaSBYOVMygENrCMvRfgk
 czWRn/dhpdi8xcdO9Lbq0vrLksdJyNawL3r466Bl4JpAu3RJ3eBnsq2eJ1paD5YbHshM
 HP/hJVwpEXKsiMY+tnrWYJUpl+0RIGYiOJ+fNF+HSMrx1X1BD+HQhJwbVKp8wUyvOcZa
 Z5OFSRgbv0lw5lwCQc5EMzWWrC1NJKenRqLmhPYrRYAhtCVvdk1rZ/BypqQXnvcbOWwN
 pJSw==
X-Gm-Message-State: AOJu0Yy90FgXiUwZEhaQVgD3B5JP6wzCY3yHh4LmG2ot4zoH7Z/n20Mk
 FUAcZyi681lOwjb1wKb4Je7oFFAqWd6zcD0C8TWG8kuH5Jvhm9QcUWt6QQ==
X-Google-Smtp-Source: AGHT+IFHpV581gVa0eK3NtzISP3QhxSgWjZOI4V8MuscrX9w0H3VMGM6p+TZ2LM/pgENtS/Vwa5mvA==
X-Received: by 2002:aca:190e:0:b0:3c9:257d:ee50 with SMTP id
 5614622812f47-3c997069332mr29239898b6e.28.1716169351151; 
 Sun, 19 May 2024 18:42:31 -0700 (PDT)
Received: from localhost.localdomain ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-6f4d2af2b30sm18719435b3a.146.2024.05.19.18.42.29
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 19 May 2024 18:42:30 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 19 May 2024 22:41:57 -0300
Message-ID: <20240520014157.5399-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.45.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avformat/mov: store sample_sizes as unsigned
 ints
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240520014157.5399-1-jamrial@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

As defined in Section 8.7.3.2.1 of ISO 14496-12.
Any unsupported value will be rejected in mov_build_index() without outright
aborting demuxing.

Fixes ticket #11005.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/isom.h | 2 +-
 libavformat/mov.c  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/isom.h b/libavformat/isom.h
index 07f09d6eff..c0a5788e08 100644
--- a/libavformat/isom.h
+++ b/libavformat/isom.h
@@ -193,7 +193,7 @@ typedef struct MOVStreamContext {
     unsigned int sample_size; ///< may contain value calculated from stsd or value from stsz atom
     unsigned int stsz_sample_size; ///< always contains sample size from stsz atom
     unsigned int sample_count;
-    int *sample_sizes;
+    unsigned int *sample_sizes;
     int keyframe_absent;
     unsigned int keyframe_count;
     int *keyframes;
diff --git a/libavformat/mov.c b/libavformat/mov.c
index b3fa748f27..54c2d1eebc 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3308,9 +3308,9 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     for (i = 0; i < entries; i++) {
         sc->sample_sizes[i] = get_bits_long(&gb, field_size);
-        if (sc->sample_sizes[i] < 0) {
+        if (sc->sample_sizes[i] > INT64_MAX - sc->data_size) {
             av_free(buf);
-            av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]);
+            av_log(c->fc, AV_LOG_ERROR, "Sample size overflow in STSZ\n");
             return AVERROR_INVALIDDATA;
         }
         sc->data_size += sc->sample_sizes[i];
-- 
2.45.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".