Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: softworkz <ffmpegagent@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Cc: Michael Niedermayer <michael@niedermayer.cc>,
	softworkz <softworkz@hotmail.com>
Subject: [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of value_len
Date: Sat, 14 May 2022 20:55:15 +0000
Message-ID: <97e0d765c98243e35d167bae0870b2c07fd613aa.1652561722.git.ffmpegagent@gmail.com> (raw)
In-Reply-To: <pull.12.v4.ffstaging.FFmpeg.1652561722.ffmpegagent@gmail.com>

From: softworkz <softworkz@hotmail.com>

The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.

Signed-off-by: softworkz <softworkz@hotmail.com>
---
 libavformat/asfdec_f.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index c7c4ba55d6..eda7175c96 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
     }
 }
 
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
 {
     ASFContext *asf = s->priv_data;
     char *value = NULL;
@@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
 static int asf_read_content_desc(AVFormatContext *s)
 {
     AVIOContext *pb = s->pb;
-    int len1, len2, len3, len4, len5;
+    uint32_t len1, len2, len3, len4, len5;
 
     len1 = avio_rl16(pb);
     len2 = avio_rl16(pb);
@@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s)
     ASFContext *asf = s->priv_data;
     uint64_t dar_num[128] = {0};
     uint64_t dar_den[128] = {0};
-    int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+    int n, name_len_utf8;
+    uint16_t stream_num, name_len_utf16, value_type;
+    uint32_t value_len;
     int ret, i;
     n = avio_rl16(pb);
 
     for (i = 0; i < n; i++) {
         uint8_t *name;
-        int value_type;
 
         avio_rl16(pb);  // lang_list_index
-        stream_num = avio_rl16(pb);
-        name_len_utf16 = avio_rl16(pb);
-        value_type = avio_rl16(pb); /* value_type */
-        value_len  = avio_rl32(pb);
+        stream_num     = (uint16_t)avio_rl16(pb);
+        name_len_utf16 = (uint16_t)avio_rl16(pb);
+        value_type     = (uint16_t)avio_rl16(pb); /* value_type */
+        value_len      = avio_rl32(pb);
 
-        if (value_len < 0 || value_len > UINT16_MAX)
-            return AVERROR_INVALIDDATA;
-
-        name_len_utf8 = 2*name_len_utf16 + 1;
-        name          = av_malloc(name_len_utf8);
+        name_len_utf8  = 2 * name_len_utf16 + 1;
+        name           = av_malloc(name_len_utf8);
         if (!name)
             return AVERROR(ENOMEM);
 
-- 
ffmpeg-codebot

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  parent reply	other threads:[~2022-05-14 20:56 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2021-12-22 15:13 ` [PATCH 01/11] " ffmpegagent
2021-12-22 15:13 ` [PATCH 02/11] libavformat/asfdec: fix get_value return type and add checks for ffmpegagent
2021-12-22 15:13 ` [PATCH 03/11] libavformat/asfdec: fix type of value_len ffmpegagent
2021-12-22 15:13 ` [PATCH 04/11] libavformat/asfdec: fixing get_tag ffmpegagent
2021-12-22 15:13 ` [PATCH 05/11] libavformat/asfdec: implement parsing of GUID values ffmpegagent
2021-12-22 15:13 ` [PATCH 06/11] libavformat/asfdec: remove unused parameters ffmpegagent
2021-12-22 18:16   ` Soft Works
2021-12-22 15:13 ` [PATCH 07/11] libavformat/asfdec: fix macro definition and use ffmpegagent
2021-12-22 16:23   ` Soft Works
2021-12-22 15:13 ` [PATCH 08/11] libavformat/asfdec: remove variable redefinition in inner scope ffmpegagent
2021-12-22 15:13 ` [PATCH 09/11] libavformat/asfdec: ensure variables are initialized ffmpegagent
2021-12-22 15:13 ` [PATCH 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() ffmpegagent
2021-12-22 15:13 ` [PATCH 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values ffmpegagent
2022-05-07  9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 01/11] " softworkz
2022-05-07 18:48     ` Michael Niedermayer
2022-05-08  2:27       ` Soft Works
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-07 18:57     ` Michael Niedermayer
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 04/11] libavformat/asfdec: fixing get_tag softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 06/11] libavformat/asfdec: remove unused parameters softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 07/11] libavformat/asfdec: fix macro definition and use softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 09/11] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-07  9:36   ` [FFmpeg-devel] [PATCH v2 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-08  3:01   ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 01/11] " softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 04/11] libavformat/asfdec: fixing get_tag softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters softworkz
2022-05-08 18:50       ` Michael Niedermayer
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 07/11] libavformat/asfdec: fix macro definition and use softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 09/11] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-08  3:01     ` [FFmpeg-devel] [PATCH v3 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-14 20:55     ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 01/10] " softworkz
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-14 20:55       ` softworkz [this message]
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 04/10] libavformat/asfdec: fixing get_tag softworkz
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use softworkz
2022-05-15 18:12         ` Andreas Rheinhardt
2022-05-15 22:51           ` Soft Works
2022-05-16  8:48             ` Andreas Rheinhardt
2022-05-16 22:03               ` Soft Works
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 08/10] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-14 20:55       ` [FFmpeg-devel] [PATCH v4 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-21  5:21       ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 01/10] " softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 04/10] libavformat/asfdec: fixing get_tag softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 06/10] libavformat/asfdec: avoid clang warnings softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 08/10] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-21  5:21         ` [FFmpeg-devel] [PATCH v5 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=97e0d765c98243e35d167bae0870b2c07fd613aa.1652561722.git.ffmpegagent@gmail.com \
    --to=ffmpegagent@gmail.com \
    --cc=ffmpeg-devel@ffmpeg.org \
    --cc=michael@niedermayer.cc \
    --cc=softworkz@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git