From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 70D6549066 for ; Mon, 1 Apr 2024 23:18:17 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 963A368CF50; Tue, 2 Apr 2024 02:18:15 +0300 (EEST) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 913D0688051 for ; Tue, 2 Apr 2024 02:18:08 +0300 (EEST) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-6e6f69e850bso5077826b3a.0 for ; Mon, 01 Apr 2024 16:18:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712013486; x=1712618286; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=rgIDbHdgZ3LbEeEkpDxasUlHJBqvQjDmCHiYQiWUkMg=; b=I3LO9p7K+t2pRcHmmBBLcgE5FsHCVD3t0GhO6H6uJeqvt6rwAbTj0Rz36MtXmFjhae ps3r6cuY+h+YPwkbs8aa9G4fGeH2QT8JXwJjw28a/ck7uI4rFOTYyTpE80n70sop4i+R 1Vi9MRgMjvLs/7BOn0btXuy2SevukE/wZy/MHofuz2HDlrL0bhYyHs1tU9+DppPH86Kj AN/bUEACh8sOOyfkwW48jrw+BxjA5CZTSMe96HyeVujXeGyAQoqHz5NQPfro+/xtcrMY 503hwg3ftIJZhEri7Gf/ef8LxeOwxOLglDLs7cvICUXE1w5MQudm8/NIo1cUa7Kk2wr6 LK7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712013486; x=1712618286; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rgIDbHdgZ3LbEeEkpDxasUlHJBqvQjDmCHiYQiWUkMg=; b=mGCfm18yiMrdHccrCk41niAY4sCSG6NQBN6ABPUbcrUAVlrvq68XIyled0TEPfCnRE 7y/FDjNwB5U3IbilIdxgSTfe3NrzdwP1amjopXCoBPe9gWsLBan5jC2w1xWywzAx5eQh bfghz4fYWbYekbHRTu2MQCUa5sXFITBzod7V49iXAKj24AQ1h2qFiCtrw2ZC5GKu5I0d o5N8RXsTjWIu+GesybxCHw/zLNofj7FNmL+BL6nUfC5jk5jyOAQaTfTGle3AdDVzrnqJ dS4aHqQ48/bSkFt2InyQMN/2sMybTzlWpA7aAsWHp2zx8HuMYokGecZ9ksejyYaNrL/P AL8g== X-Gm-Message-State: AOJu0YzrcWkTp+aip6CKeoAJo3VWI4ZFGirtDrnjqBX8HjXd/xsCHSQn H78dd44snsGsujIwYBnMLRDP5IldRhwtcSd6+x6AFwzG1s9ZLu8dUeYiVEal X-Google-Smtp-Source: AGHT+IFK1FATfVNpMYy9glg0+P/ZxV1+DTR2vESRpIjV1gAOnWW2ULEOFNLon4f8y0E5hwR3+3XfJA== X-Received: by 2002:a05:6a20:7347:b0:1a4:aecb:317b with SMTP id v7-20020a056a20734700b001a4aecb317bmr12687770pzc.33.1712013485944; Mon, 01 Apr 2024 16:18:05 -0700 (PDT) Received: from [192.168.0.15] ([190.194.167.233]) by smtp.gmail.com with ESMTPSA id u16-20020a1709026e1000b001e0f54ac3desm170428plk.258.2024.04.01.16.18.04 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Apr 2024 16:18:05 -0700 (PDT) Message-ID: <6ba08b58-2831-4e9b-8f22-1812d2e59a84@gmail.com> Date: Mon, 1 Apr 2024 20:18:17 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20240401231219.540130-1-ezemtsov@google.com> Content-Language: en-US From: James Almer In-Reply-To: <20240401231219.540130-1-ezemtsov@google.com> Subject: Re: [FFmpeg-devel] [PATCH] mov demuxer: Check if a key is longer than the atom containing it X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 4/1/2024 8:12 PM, Eugene Zemtsov via ffmpeg-devel wrote: > From: Eugene Zemtsov > > Stop reading keys and return AVERROR_INVALIDDATA if key_size > is larger than the amount of space left in the atom. > > Bug: https://crbug.com/41496983 > Signed-off-by: Eugene Zemtsov > --- > libavformat/mov.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 662301bf67..5d2f7fa690 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -5045,15 +5045,18 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) > if (!c->meta_keys) > return AVERROR(ENOMEM); > > + uint32_t bytes_left_in_atom = atom.size; > for (i = 1; i <= count; ++i) { > uint32_t key_size = avio_rb32(pb); > uint32_t type = avio_rl32(pb); > - if (key_size < 8) { > + if (key_size < 8 || key_size > bytes_left_in_atom) { > av_log(c->fc, AV_LOG_ERROR, > "The key# %"PRIu32" in meta has invalid size:" > "%"PRIu32"\n", i, key_size); > return AVERROR_INVALIDDATA; > } > + > + bytes_left_in_atom -= key_size; atom is a copy and not used anywhere else in this function, so you can just do atom.size -= key_size and check for that above instead. > key_size -= 8; > if (type != MKTAG('m','d','t','a')) { > avio_skip(pb, key_size); _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".