From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id F04E949082 for ; Tue, 2 Apr 2024 03:18:34 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 359C268D10E; Tue, 2 Apr 2024 06:18:23 +0300 (EEST) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DDB6868D10E for ; Tue, 2 Apr 2024 06:18:16 +0300 (EEST) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1e0d82c529fso39070195ad.2 for ; Mon, 01 Apr 2024 20:18:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712027894; x=1712632694; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=HWUkYDDJSppL/WqdZl+m2YMe4R+grXRy7r7fffQ0RQ8=; b=MN/Ost5GmkJUihfZMJe1/TLe+n2S6PXfF5GWznwCpja413gn9fpw2fvObvRBehzjeP /EOmbeGV5ehSaPgXD3CGPXCuQAHXIuc1twBh0xO7JNfnDcgE28BKqOAP/Ks/818EmgoV FJvm82mBMW2CZT0X8DwccrYZiof21jakZdJVeSUZywhUBlj8M55ZLygWSw/34h86cDW4 WJH7GwW4/xn+b2Vwk7YspIcqUs3dIuaAm7HO2ZKpZbdoceJjxHjFg1DPmDxEh8GQYK9k znS8nf0e1zTUZR6Kyybu4S8GM4s9Rdr4bQ0YHyV435uiO0M/so77Y0S5R2dqTYW8A2nE kJFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712027894; x=1712632694; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HWUkYDDJSppL/WqdZl+m2YMe4R+grXRy7r7fffQ0RQ8=; b=E/IrzqgE7EbBe0IlPLvB3/p+smL+JUWLMoSZ6KrvoPzvpYBIRRthsRxGef20hUhacy JrhAheV0NcNqtVLRWvnAYn3gyCoE+yZlpcmXoCyd5JB8Z2+8YulVrAYZHEVkTF1rXKAb C1Min4qL+pwSIzO2YXtOsJp/IuHqskUbdJDD4YK1U4c0FSS8yeD7nqqCk6tewXJi2ktA yZ+J9Tb9Hy902h17KB8f0fVe2e7FQ8j/HMtnUpZrj5CNFhpcrN5nrJUCPmY8PjMf2Lt/ ri1udrmAJsn3lH6TFzXBJT+N+Vr4HiskSiyaGgpnP7IjPZZgn2E2Bd5LoGUgrRHxiz6A 6HzA== X-Gm-Message-State: AOJu0YxW6wWjbsDtPZKNwHUs97Yom36muNgcJ3oiAOX9mDOUc92QGQXo m35WLO+n/PHgA0nf05tIYUABhE1cHuB41kluFP6E4EguRZYSAnEQ8qsIEPFI X-Google-Smtp-Source: AGHT+IHCnDx66Vs80AY+MClDzycd6N8KQyVf7nkwcxU4QSYt2Sdtne8e0/sSl2ZWCEt/DGw8ruXa/w== X-Received: by 2002:a17:902:d897:b0:1dd:b728:b8d8 with SMTP id b23-20020a170902d89700b001ddb728b8d8mr12087952plz.45.1712027894397; Mon, 01 Apr 2024 20:18:14 -0700 (PDT) Received: from [192.168.0.15] ([190.194.167.233]) by smtp.gmail.com with ESMTPSA id c2-20020a170902d48200b001e03b2f7ab1sm9825211plg.92.2024.04.01.20.18.13 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Apr 2024 20:18:13 -0700 (PDT) Message-ID: <3b44c3e2-f421-4b65-984f-5568e9095f6b@gmail.com> Date: Tue, 2 Apr 2024 00:18:25 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <6ba08b58-2831-4e9b-8f22-1812d2e59a84@gmail.com> <20240402022928.585868-1-ezemtsov@google.com> <20240402022928.585868-2-ezemtsov@google.com> Content-Language: en-US From: James Almer In-Reply-To: <20240402022928.585868-2-ezemtsov@google.com> Subject: Re: [FFmpeg-devel] [PATCH] mov demuxer: Check if a key is longer than the atom containing it X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 4/1/2024 11:28 PM, Eugene Zemtsov via ffmpeg-devel wrote: > From: Eugene Zemtsov > > Stop reading keys and return AVERROR_INVALIDDATA if key_size > is larger than the amount of space left in the atom. > > Bug: https://crbug.com/41496983 > Signed-off-by: Eugene Zemtsov > --- > libavformat/mov.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 662301bf67..2d92e7963b 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -5048,12 +5048,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) > for (i = 1; i <= count; ++i) { > uint32_t key_size = avio_rb32(pb); > uint32_t type = avio_rl32(pb); > - if (key_size < 8) { > + if (key_size < 8 || key_size > atom.size) { > av_log(c->fc, AV_LOG_ERROR, > "The key# %"PRIu32" in meta has invalid size:" > "%"PRIu32"\n", i, key_size); > return AVERROR_INVALIDDATA; > } > + atom.size -= key_size; > key_size -= 8; > if (type != MKTAG('m','d','t','a')) { > avio_skip(pb, key_size); Applied. Thanks. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".