From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 245FD4310A for ; Sat, 21 May 2022 05:22:19 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E508E68B3E3; Sat, 21 May 2022 08:21:53 +0300 (EEST) Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5B01868B4BF for ; Sat, 21 May 2022 08:21:46 +0300 (EEST) Received: by mail-pj1-f54.google.com with SMTP id l14so9645487pjk.2 for ; Fri, 20 May 2022 22:21:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=vFC9J6gUyCuHzxh2glSoTSiclVhHxySFo9/Q3ots71w=; b=ipfCIklBS6yu8gJ95YFD76oV0Ef7RnIYg5iHS/k9OL/TtVbZZkXIbLF3W/fF1hQj/n QB6qhT53YKzEm3V6CP4iijqJWsHFCiYkdMebc0Uh8E+FcS4qTTehwIVq1cK0LFNWVvg/ 27u4XbKzRDbAiZ11j6rKiBmuYUqyno9plMfAE8XltmtGgw+gLxkqls+UUeEAWWcUZk8r wWnxkCRtr5uEPbLr9cNqGX9gxFN1gteC5dFrzi9XOOfX88ehyZte6kHZdp9pzYyZ3dQK GHOcXmptddwzL/679hdHArv+Bh4wNxmNQe4NLu+v7K1AUMoldUeJ4Nji3SLr2Ubos/q8 VROw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=vFC9J6gUyCuHzxh2glSoTSiclVhHxySFo9/Q3ots71w=; b=oDIDi43OHVKVE/i4e/4jbGuiFfSv+qqil49v4xDt9kxv2Qa3h5m0Gwu2m2Pn4ANrYG 3C4ldPlkyqK5dOvGsVplcw49pi58cHr04UIr6QyTd7ZANn5tLDmrTPN/kzVd1R8VLg5q 7ID+oGJb33epxAmj8GphQdmOtXR94nP35SX2S1OvFeNfP/sYLwFpBXSNdOanrI6Y9A+g hXVPXpQ9TN23bKKLLyHVSFmEw1KVfhnA6EBVYVg33HCxme0ngvZX/WQ0FA3OWmpenbEq vFS2xLCzXibpkkbU/4RzQ/nQHBqoO/gHWrlpjYLHYj7sEd6HLbTfjNzLGmGO7zms31ga Q0iA== X-Gm-Message-State: AOAM530Hjf+LwSrjWg1KkwHSjGh84DilGXDeF9Zr76ylMM+iu1pETPW9 2TMMe3wOC2fM1Nlhfn/alqsXrKb/2NG4zQ== X-Google-Smtp-Source: ABdhPJwHtcGExkmCWRqjZ8ije7r53P60QttxPWGBL6dNDwq7iqexyW9R+Ee2WLXWHhTAOoLZ/E4JoQ== X-Received: by 2002:a17:902:c412:b0:161:af8b:f472 with SMTP id k18-20020a170902c41200b00161af8bf472mr12642144plk.56.1653110504521; Fri, 20 May 2022 22:21:44 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id q19-20020a170902f35300b0015ebb3bf277sm609329ple.238.2022.05.20.22.21.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 May 2022 22:21:44 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: <99660db6ef5853f9af000b2e0844a39ae9475c18.1653110500.git.ffmpegagent@gmail.com> In-Reply-To: References: Date: Sat, 21 May 2022 05:21:33 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Michael Niedermayer , softworkz , Andreas Rheinhardt Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: From: softworkz The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index c7c4ba55d6..eda7175c96 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s) static int asf_read_content_desc(AVFormatContext *s) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s) ASFContext *asf = s->priv_data; uint64_t dar_num[128] = {0}; uint64_t dar_den[128] = {0}; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM); -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".