From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 4E50C42941 for ; Sat, 7 May 2022 09:37:26 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B80F368B3B4; Sat, 7 May 2022 12:36:58 +0300 (EEST) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CADA368B245 for ; Sat, 7 May 2022 12:36:51 +0300 (EEST) Received: by mail-pj1-f44.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso12894960pjb.1 for ; Sat, 07 May 2022 02:36:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=NmxjztsO/aMEI4ZIIWduC+7DVJorVfv9nSGOMG/ETP4=; b=aIa4RgM/mdn2dYjuDVZrp5Ily0XA8ULUbAXTa7I3/pou1BihfO9l3FSylvp8hHbNIR Rxa6bMi7wQyifOQVW4H9++hfUqQDQ3uuG/v2RzqvDBXFSNhNbMgPqkiOfMiKs5OAoEVZ IE1/Ies1vS9pxsj+6vIBQiQNBJxi2XQHidjfcKG6m026+p6GfnAwjU/K4hoUOMqHP4VT 6bQteNgMAwXpiBIbggRrO9qrLE1U7Q1AjAYQNvalOKD3WaUhVCEQ5v6A8kJuv/uwea8+ d9NX3QD7yzDJudo2MvkcqEVIPjNWNfNmNQhG5KBeeHPFcoTfU31QsGWXsqJO+JJfH0AI XJkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=NmxjztsO/aMEI4ZIIWduC+7DVJorVfv9nSGOMG/ETP4=; b=aRKlX95JAPh1q3Z2IJ7ZjkhGqy/1hsojZoY1l872ApBatccUMxL//5tM71GpKT8Vdo Vf/CVjkBCq1MsTPOz7tFEgf6egRMroN188E4Zaieurn3HzN4ZLk1Z7zGuZtvdRWk3xYw sBuMVQxf38t+FUHdomAeDVlXS0atVF2sqJ7GHx+SPvSlG7LTjnvfvPnmReqGAdQ8yZ0U iA2FJaHwJABjg0i0PPLNsE7bARcETLHXMd/W3LSGG2LnZFog+FCbbL7Pns4jUB9ExSCI P+5wwhfdwVEIqV0COaN0XSCDXwOGWobWRClmtO0C7e04ARRfeVr9toDC9sEibm6Rexdn AtRA== X-Gm-Message-State: AOAM531kQw7Vmm9Dts9dnCZenD4kigK+tdmPMkMTe0BOGpROvTSG5oJk AJPQHmbDPbTHDukIfbl4VSRViQmrDpY9XQ== X-Google-Smtp-Source: ABdhPJyvRwFM8aQcVeNk1qCEsNBhu3WFZn0J9YU5I2ne8Zr7u4UClifli8aaKM07vGnpRYd2ukWuSQ== X-Received: by 2002:a17:902:e844:b0:15e:b2f4:497e with SMTP id t4-20020a170902e84400b0015eb2f4497emr7419330plg.43.1651916210092; Sat, 07 May 2022 02:36:50 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id s14-20020a056a001c4e00b0050dc76281fesm4801185pfw.216.2022.05.07.02.36.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 May 2022 02:36:49 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: In-Reply-To: References: Date: Sat, 07 May 2022 09:36:36 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: softworkz Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: From: softworkz The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index d31e1d581d..29b429fee9 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) static int asf_read_content_desc(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -614,25 +614,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; ASFContext *asf = s->priv_data; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM); -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".