From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id CAB6D4106A
	for <ffmpegdev@gitmailbox.com>; Sat, 14 May 2022 20:56:06 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D3ABF68B49C;
	Sat, 14 May 2022 23:55:37 +0300 (EEST)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 30BA068B460
 for <ffmpeg-devel@ffmpeg.org>; Sat, 14 May 2022 23:55:29 +0300 (EEST)
Received: by mail-pf1-f169.google.com with SMTP id bo5so10670210pfb.4
 for <ffmpeg-devel@ffmpeg.org>; Sat, 14 May 2022 13:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:message-id:in-reply-to:references:date:subject:fcc
 :content-transfer-encoding:mime-version:to:cc;
 bh=vFC9J6gUyCuHzxh2glSoTSiclVhHxySFo9/Q3ots71w=;
 b=bt3qBnkKNOZ7ZJnmVhIAMbjW5ytRsEk/rB9ts8sVP5pttugTFR0Z8RJU5Hu2wy4ARJ
 v9XspptLOvO34jwIt/vchW/BZn9K8Z/0EvkB2k2Py7SFTjo+VadC7GqXtrLw1XXjQpFa
 0Xbukf6xp858S4zhy7CbRkI+GDXDLQ7+h65a3WwMcejD94ZzCRE5UQZwnvs8pet/MpjI
 fJkCCjhSeHhkyfYgySREHKlX+6v7YK6dNuI+PHrqX4Bg5ZMbj8cUb8r5WYjbWxJrL0Zp
 geeapsJtgiHtRTvS9KnWMoycILw5Ncm60hdN03FtZEjr5C3yCg86iIPIo8MtMZkhH5L/
 KX6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:message-id:in-reply-to:references:date
 :subject:fcc:content-transfer-encoding:mime-version:to:cc;
 bh=vFC9J6gUyCuHzxh2glSoTSiclVhHxySFo9/Q3ots71w=;
 b=VXTkQwcDPV8mBNbW2KI6ibljIYI1akiAmuBo49E3mMCnCA2YfVJOR35RLOh3F2zIXK
 uWdjxs4c0tMJBZZRpX6x6mAXUe7QESafe4qn6+zH1oak4gQQZzP8CXAcYx3u2gtSJ97A
 R7Us6TWz+qdjDfZxY/Wb0uldwJcjw893qp7cE1RUMR3hToJVJ9jM1cEa43wrjWWQ22Z1
 ekmYLcdoB0XGaO4TFTX+G37G2IkWHUEQQbcmHaypat8blr3Xard7J9p0kUNtzSJpQkjn
 qdYcwiqcjW6HmuaKqhwmuQImFYywDyhzJohbUsiVPKsNKr+nC2hLpibN8g6CNFaKeIad
 1R3g==
X-Gm-Message-State: AOAM532D/eX6ORLb4EzyeIqUXxXBJHWCgSurenBJWH1DY0ZJ9HGD2IrU
 5TMKqmjLCkq43um9dhO9YDfFhKHVY0iO0w==
X-Google-Smtp-Source: ABdhPJyuy3jMUC90ulFuSh1Y6YaSzCU593knnEPU/XY2bH/fiuzu5pwUFwacOEGE94Ax7BPg3Mvm3Q==
X-Received: by 2002:a63:d450:0:b0:3c6:e382:c13b with SMTP id
 i16-20020a63d450000000b003c6e382c13bmr9029577pgj.138.1652561727477; 
 Sat, 14 May 2022 13:55:27 -0700 (PDT)
Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50])
 by smtp.gmail.com with ESMTPSA id
 f7-20020a170902ab8700b0015e8d4eb29esm4052391plr.232.2022.05.14.13.55.26
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 14 May 2022 13:55:26 -0700 (PDT)
From: softworkz <ffmpegagent@gmail.com>
X-Google-Original-From: softworkz <softworkz@hotmail.com>
Message-Id: <97e0d765c98243e35d167bae0870b2c07fd613aa.1652561722.git.ffmpegagent@gmail.com>
In-Reply-To: <pull.12.v4.ffstaging.FFmpeg.1652561722.ffmpegagent@gmail.com>
References: <pull.12.v3.ffstaging.FFmpeg.1651978882.ffmpegagent@gmail.com>
 <pull.12.v4.ffstaging.FFmpeg.1652561722.ffmpegagent@gmail.com>
Date: Sat, 14 May 2022 20:55:15 +0000
Fcc: Sent
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of
 value_len
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Michael Niedermayer <michael@niedermayer.cc>,
 softworkz <softworkz@hotmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/97e0d765c98243e35d167bae0870b2c07fd613aa.1652561722.git.ffmpegagent@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

From: softworkz <softworkz@hotmail.com>

The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.

Signed-off-by: softworkz <softworkz@hotmail.com>
---
 libavformat/asfdec_f.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index c7c4ba55d6..eda7175c96 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
     }
 }
 
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
 {
     ASFContext *asf = s->priv_data;
     char *value = NULL;
@@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
 static int asf_read_content_desc(AVFormatContext *s)
 {
     AVIOContext *pb = s->pb;
-    int len1, len2, len3, len4, len5;
+    uint32_t len1, len2, len3, len4, len5;
 
     len1 = avio_rl16(pb);
     len2 = avio_rl16(pb);
@@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s)
     ASFContext *asf = s->priv_data;
     uint64_t dar_num[128] = {0};
     uint64_t dar_den[128] = {0};
-    int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+    int n, name_len_utf8;
+    uint16_t stream_num, name_len_utf16, value_type;
+    uint32_t value_len;
     int ret, i;
     n = avio_rl16(pb);
 
     for (i = 0; i < n; i++) {
         uint8_t *name;
-        int value_type;
 
         avio_rl16(pb);  // lang_list_index
-        stream_num = avio_rl16(pb);
-        name_len_utf16 = avio_rl16(pb);
-        value_type = avio_rl16(pb); /* value_type */
-        value_len  = avio_rl32(pb);
+        stream_num     = (uint16_t)avio_rl16(pb);
+        name_len_utf16 = (uint16_t)avio_rl16(pb);
+        value_type     = (uint16_t)avio_rl16(pb); /* value_type */
+        value_len      = avio_rl32(pb);
 
-        if (value_len < 0 || value_len > UINT16_MAX)
-            return AVERROR_INVALIDDATA;
-
-        name_len_utf8 = 2*name_len_utf16 + 1;
-        name          = av_malloc(name_len_utf8);
+        name_len_utf8  = 2 * name_len_utf16 + 1;
+        name           = av_malloc(name_len_utf8);
         if (!name)
             return AVERROR(ENOMEM);
 
-- 
ffmpeg-codebot

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".