From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpegagent@gmail.com>
Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179])
	by master.gitmailbox.com (Postfix) with ESMTPS id 720164071E
	for <ffmpegdev@gitmailbox.com>; Wed, 22 Dec 2021 15:27:46 +0000 (UTC)
Received: by mail-pg1-f179.google.com with SMTP id 2so2371536pgb.12
        for <ffmpegdev@gitmailbox.com>; Wed, 22 Dec 2021 07:27:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:in-reply-to:references:from:date:subject:fcc
         :content-transfer-encoding:mime-version:to:cc;
        bh=XnlBONdcLwghEWYVPcUbZxOCsoWR2ycNcciDCbkamZ4=;
        b=lCYeLQN2wDr8V2wH1acHhtGo8t5yB9gX3d6frCTq4o/dZUyW/KK05+oru6PHk04ks1
         JaimkNdaQgJq1oMGxnDpn5S0xMqF1MZ3/B1miwtsR1IYSB0g62aamQvhG9BsWJPYXQCO
         ybJkWqxacMaqEIA/2zX9RyX0/27sG58mOtUW4gz/ywBz6/OcL8AniseJbcjciYv9ieYm
         bJ3TI8lgqbQo9OHBHObn6wgJ0sGh9GCh4MiExKSGbpwnmylmJ/jgS2ehksh1H5IXKQ2N
         JynGqJnuekaCMfL/0dXrrWaCH01UaJKay5Ygt8WmGoHgN8FP2+Tf9kd9sJ+LM2t86mY1
         JbpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:in-reply-to:references:from:date
         :subject:fcc:content-transfer-encoding:mime-version:to:cc;
        bh=XnlBONdcLwghEWYVPcUbZxOCsoWR2ycNcciDCbkamZ4=;
        b=WaIcY/wk0BQV8up10oiL8vFgYyzU+FqVlz8IBhAZNkjZ8N8LAQTKFyTFzMNM/Ahp9c
         FW1hwlIdQyI65MQLDZnr+HgEbzvNxzg45fwWg1Q9QWdiROXvABf17sD/r0jPQ8JbL6Fk
         nIIUASsmKAGr++3dOsxej60INOUPSpMperieX3/JIfh2W4lBDew5RoT93NMJ2hCxAFO8
         QjKttMhS3+BlEvo4twpKCF5tMYKwAATS6F0GL9ltCpxHJI/lDh80oRrqoWKb8+ODWKnD
         rmmot96NcUHtihGxMmNUlbLtyZL5w3pokfCo5HwOBYyoFxnEK/38V3l8fHxPk6ttguVg
         sKeQ==
X-Gm-Message-State: AOAM533zfkacf40w/3it4L9Hy89cOIciMaCinigRI5CDo2Y+ZXnyoSVq
	dMhg8cGaEEYi82DBMN+IlFRZSOjrGrSJinYu
X-Google-Smtp-Source: ABdhPJxKowjaOxEJc/WuuC5aCw2NaxrHkfVhF5RozI20xues1bZB2RJi+IOQ7tbdyDuaBjdLyiJ9Wg==
X-Received: by 2002:a63:a552:: with SMTP id r18mr2975386pgu.288.1640183591510;
        Wed, 22 Dec 2021 06:33:11 -0800 (PST)
Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50])
        by smtp.gmail.com with ESMTPSA id p2sm2430936pgn.73.2021.12.22.06.33.10
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Dec 2021 06:33:11 -0800 (PST)
Message-Id: <9d2bc4acd451ffc0120ef1fd13f7e17d1c501b6a.1640183587.git.ffmpegagent@gmail.com>
In-Reply-To: <pull.11.ffstaging.FFmpeg.1640183587.ffmpegagent@gmail.com>
References: <pull.11.ffstaging.FFmpeg.1640183587.ffmpegagent@gmail.com>
From: ffmpegagent <ffmpegagent@gmail.com>
Date: Wed, 22 Dec 2021 14:32:59 +0000
Subject: [PATCH 03/11] libavformat/asfdec: fix type of value_len
Fcc: Sent
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
To: ffmpegdev@gitmailbox.com
Cc: softworkz <softworkz@hotmail.com>,
    softworkz <softworkz@hotmail.com>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/9d2bc4acd451ffc0120ef1fd13f7e17d1c501b6a.1640183587.git.ffmpegagent@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

From: softworkz <softworkz@hotmail.com>

The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.

Signed-off-by: softworkz <softworkz@hotmail.com>
---
 libavformat/asfdec_f.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index d31e1d581d..29b429fee9 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
     }
 }
 
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
 {
     ASFContext *asf = s->priv_data;
     char *value = NULL;
@@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
 static int asf_read_content_desc(AVFormatContext *s, int64_t size)
 {
     AVIOContext *pb = s->pb;
-    int len1, len2, len3, len4, len5;
+    uint32_t len1, len2, len3, len4, len5;
 
     len1 = avio_rl16(pb);
     len2 = avio_rl16(pb);
@@ -614,25 +614,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
 {
     AVIOContext *pb = s->pb;
     ASFContext *asf = s->priv_data;
-    int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+    int n, name_len_utf8;
+    uint16_t stream_num, name_len_utf16, value_type;
+    uint32_t value_len;
     int ret, i;
     n = avio_rl16(pb);
 
     for (i = 0; i < n; i++) {
         uint8_t *name;
-        int value_type;
 
         avio_rl16(pb);  // lang_list_index
-        stream_num = avio_rl16(pb);
-        name_len_utf16 = avio_rl16(pb);
-        value_type = avio_rl16(pb); /* value_type */
-        value_len  = avio_rl32(pb);
+        stream_num     = (uint16_t)avio_rl16(pb);
+        name_len_utf16 = (uint16_t)avio_rl16(pb);
+        value_type     = (uint16_t)avio_rl16(pb); /* value_type */
+        value_len      = avio_rl32(pb);
 
-        if (value_len < 0 || value_len > UINT16_MAX)
-            return AVERROR_INVALIDDATA;
-
-        name_len_utf8 = 2*name_len_utf16 + 1;
-        name          = av_malloc(name_len_utf8);
+        name_len_utf8  = 2 * name_len_utf16 + 1;
+        name           = av_malloc(name_len_utf8);
         if (!name)
             return AVERROR(ENOMEM);
 
-- 
gitgitgadget