From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 7C18342DB1 for ; Sun, 8 May 2022 03:02:00 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5438E68B3C8; Sun, 8 May 2022 06:01:35 +0300 (EEST) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 463C668B37A for ; Sun, 8 May 2022 06:01:28 +0300 (EEST) Received: by mail-pj1-f50.google.com with SMTP id gj17-20020a17090b109100b001d8b390f77bso14207304pjb.1 for ; Sat, 07 May 2022 20:01:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=U6G3Gcqc4BDvq6czQkc9G5JRQxAYE6REuA4XWF79ATU=; b=OsKCZHCdMEcfHx8sNNhTcyRjAWwEV9kNXaXSVIZ3/TaPFcMRN3dQY5SB8f8Jh2GqRI 4j3aBQUWSWaMLKZJuJ8okW1aaUNMrGpOYID0Mq3jVFQbGE4t7HoM1vuzn/PZrjf/IiJ3 Nq88CqChn8OxtUg/uS0PRjVFPPVxlGGqLextKvri4vwzuzgftBfw79lnv8Yl1WhvrbDO RSlBiuOhvpJjqH2lVVdkP/UoltfouBGoMajxIrksCXt6InWG9nMTHEqewqNpZ5IAqOkP 0TvvnIAiQns0m6LtQs5C//QpmSDamTDOXkY32RBG0CM/GbSkNrR51lXYjXInG3vRH0OQ 2QJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=U6G3Gcqc4BDvq6czQkc9G5JRQxAYE6REuA4XWF79ATU=; b=I7tDVYdxPI9Rafiyxs+o1eC/5qWQw6oR6Ztj9INhPEJS2NQDhfkOL9hUlXISfHkv06 OCnQmoh1h8BCuyGTqI5/5Epmt+V/UnGL7KyF4zFjez/vgFWSyDVzs93oPfr1/K8OC+xw GuGk/5fv74JUhLExUkm4P47nCMXxfAfxWooodxGbvWZyXfPIvIOpjiAqYbKRrFVRk1Kz /ksizxOwOk6qiSSXP2+ydjcaaLXQJ1VYay9UpPgLmLHUKlIV4DlAnzvMHiy23DPZHWFV kZ3HWDoK6b6S5SEzNfvpFtZbQ77EI7NUUIFJ4mL/fp1WuGxmIVMq1mfHBTR6cLzpXcax M+5Q== X-Gm-Message-State: AOAM532n2d272FjugPVW7anL26csY3XktEP8kKLrcmNUrou2C1R5mybP napbp0oFxDp3KSmCtxj/OSkPE+daBgFqXw== X-Google-Smtp-Source: ABdhPJyXGCFkI6INdDNHwX8lZa2q2V2jMyIxAAla7Vf9iX8MLmTPRV5+iKzzLJpS5KSro2jkMdXX/Q== X-Received: by 2002:a17:90b:3a86:b0:1dc:228f:6a1f with SMTP id om6-20020a17090b3a8600b001dc228f6a1fmr19956982pjb.230.1651978886748; Sat, 07 May 2022 20:01:26 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id lb15-20020a17090b4a4f00b001d9781de67fsm6206372pjb.31.2022.05.07.20.01.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 May 2022 20:01:26 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: In-Reply-To: References: Date: Sun, 08 May 2022 03:01:14 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Michael Niedermayer , softworkz Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: From: softworkz The value_len is an uint32 not an int32 per spec. That value must not be truncated, neither by casting to int, nor by any conditional checks, because at the end of get_tag, this value is needed to move forward in parsing. When the len value gets modified, the parsing may break. Signed-off-by: softworkz --- libavformat/asfdec_f.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 0fa2bbf653..3014ef558d 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size) } } -static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size) +static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size) { ASFContext *asf = s->priv_data; char *value = NULL; @@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) static int asf_read_content_desc(AVFormatContext *s, int64_t size) { AVIOContext *pb = s->pb; - int len1, len2, len3, len4, len5; + uint32_t len1, len2, len3, len4, len5; len1 = avio_rl16(pb); len2 = avio_rl16(pb); @@ -619,25 +619,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) ASFContext *asf = s->priv_data; uint64_t dar_num[128] = {0}; uint64_t dar_den[128] = {0}; - int n, stream_num, name_len_utf16, name_len_utf8, value_len; + int n, name_len_utf8; + uint16_t stream_num, name_len_utf16, value_type; + uint32_t value_len; int ret, i; n = avio_rl16(pb); for (i = 0; i < n; i++) { uint8_t *name; - int value_type; avio_rl16(pb); // lang_list_index - stream_num = avio_rl16(pb); - name_len_utf16 = avio_rl16(pb); - value_type = avio_rl16(pb); /* value_type */ - value_len = avio_rl32(pb); + stream_num = (uint16_t)avio_rl16(pb); + name_len_utf16 = (uint16_t)avio_rl16(pb); + value_type = (uint16_t)avio_rl16(pb); /* value_type */ + value_len = avio_rl32(pb); - if (value_len < 0 || value_len > UINT16_MAX) - return AVERROR_INVALIDDATA; - - name_len_utf8 = 2*name_len_utf16 + 1; - name = av_malloc(name_len_utf8); + name_len_utf8 = 2 * name_len_utf16 + 1; + name = av_malloc(name_len_utf8); if (!name) return AVERROR(ENOMEM); -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".