* [PATCH 00/11] libavformat/asf: fix handling of byte array length values
@ 2021-12-22 15:13 ffmpegagent
2021-12-22 15:13 ` [PATCH 01/11] " ffmpegagent
` (11 more replies)
0 siblings, 12 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz
The spec allows attachment sizes of up to UINT32_MAX while we can handle
only sizes up to INT32_MAX (in downstream code)
The debug.assert in get_tag didn't really address this, and truncating the
value_len in calling methods cannot be used because the length value is
required in order to continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
softworkz (11):
libavformat/asf: fix handling of byte array length values
libavformat/asfdec: fix get_value return type and add checks for
libavformat/asfdec: fix type of value_len
libavformat/asfdec: fixing get_tag
libavformat/asfdec: implement parsing of GUID values
libavformat/asfdec: remove unused parameters
libavformat/asfdec: fix macro definition and use
libavformat/asfdec: remove variable redefinition in inner scope
libavformat/asfdec: ensure variables are initialized
libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
libavformat/asfdec: fix variable types and add checks for unsupported
values
libavformat/asf.c | 12 +-
libavformat/asf.h | 2 +-
libavformat/asfdec_f.c | 349 ++++++++++++++++++++++++++---------------
3 files changed, 232 insertions(+), 131 deletions(-)
base-commit: 15cfb4eee316a1d6a0764f4460409f0258fd94cb
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-12%2Fsoftworkz%2Fmaster-upstream_asf_4-v1
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-12/softworkz/master-upstream_asf_4-v1
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/12
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 01/11] libavformat/asf: fix handling of byte array length values
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 02/11] libavformat/asfdec: fix get_value return type and add checks for ffmpegagent
` (10 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
The spec allows attachment sizes of up to UINT32_MAX while
we can handle only sizes up to INT32_MAX (in downstream
code)
The debug.assert in get_tag didn't really address this,
and truncating the value_len in calling methods cannot
be used because the length value is required in order to
continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asf.c | 12 +++++++++---
libavformat/asf.h | 2 +-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/libavformat/asf.c b/libavformat/asf.c
index 1ac8b5f078..179b66a2b4 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
}
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len)
+ uint32_t val_len)
{
+ if (val_len > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
+ return 1;
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
- return asf_read_picture(s, val_len);
+ return asf_read_picture(s, (int)val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
- return get_id3_tag(s, val_len);
+ return get_id3_tag(s, (int)val_len);
+ av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
return 1;
}
diff --git a/libavformat/asf.h b/libavformat/asf.h
index 01cc4f7a46..4d28560f56 100644
--- a/libavformat/asf.h
+++ b/libavformat/asf.h
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
* is unsupported by this function and 0 otherwise.
*/
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len);
+ uint32_t val_len);
#define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 02/11] libavformat/asfdec: fix get_value return type and add checks for
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2021-12-22 15:13 ` [PATCH 01/11] " ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 03/11] libavformat/asfdec: fix type of value_len ffmpegagent
` (9 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
unsupported values
get_value had a return type of int, which means that reading
QWORDS (case 4) was broken due to truncation of the result from
avio_rl64().
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a8f36ed286..d31e1d581d 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -202,7 +202,7 @@ static int asf_probe(const AVProbeData *pd)
/* size of type 2 (BOOL) is 32bit for "Extended Content Description Object"
* but 16 bit for "Metadata Object" and "Metadata Library Object" */
-static int get_value(AVIOContext *pb, int type, int type2_size)
+static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
{
switch (type) {
case ASF_BOOL:
@@ -567,10 +567,22 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
* since it's unused. */
- if (!strcmp(name, "AspectRatioX"))
- asf->dar[0].num = get_value(s->pb, value_type, 32);
- else if (!strcmp(name, "AspectRatioY"))
- asf->dar[0].den = get_value(s->pb, value_type, 32);
+ if (!strcmp(name, "AspectRatioX")) {
+ const uint64_t value = get_value(s->pb, value_type, 32);
+ if (value > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", value);
+ return AVERROR(ENOTSUP);
+ }
+ asf->dar[0].num = (int)value;
+ }
+ else if (!strcmp(name, "AspectRatioY")) {
+ const uint64_t value = get_value(s->pb, value_type, 32);
+ if (value > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", value);
+ return AVERROR(ENOTSUP);
+ }
+ asf->dar[0].den = (int)value;
+ }
else
get_tag(s, name, value_type, value_len, 32);
}
@@ -630,13 +642,21 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
i, stream_num, name_len_utf16, value_type, value_len, name);
if (!strcmp(name, "AspectRatioX")){
- int aspect_x = get_value(s->pb, value_type, 16);
+ const uint64_t aspect_x = get_value(s->pb, value_type, 16);
+ if (aspect_x > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", aspect_x);
+ return AVERROR(ENOTSUP);
+ }
if(stream_num < 128)
- asf->dar[stream_num].num = aspect_x;
+ asf->dar[stream_num].num = (int)aspect_x;
} else if(!strcmp(name, "AspectRatioY")){
- int aspect_y = get_value(s->pb, value_type, 16);
+ const uint64_t aspect_y = get_value(s->pb, value_type, 16);
+ if (aspect_y > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", aspect_y);
+ return AVERROR(ENOTSUP);
+ }
if(stream_num < 128)
- asf->dar[stream_num].den = aspect_y;
+ asf->dar[stream_num].den = (int)aspect_y;
} else {
get_tag(s, name, value_type, value_len, 16);
}
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 03/11] libavformat/asfdec: fix type of value_len
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2021-12-22 15:13 ` [PATCH 01/11] " ffmpegagent
2021-12-22 15:13 ` [PATCH 02/11] libavformat/asfdec: fix get_value return type and add checks for ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 04/11] libavformat/asfdec: fixing get_tag ffmpegagent
` (8 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index d31e1d581d..29b429fee9 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
}
}
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
char *value = NULL;
@@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
static int asf_read_content_desc(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
- int len1, len2, len3, len4, len5;
+ uint32_t len1, len2, len3, len4, len5;
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
@@ -614,25 +614,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int n, name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type;
+ uint32_t value_len;
int ret, i;
n = avio_rl16(pb);
for (i = 0; i < n; i++) {
uint8_t *name;
- int value_type;
avio_rl16(pb); // lang_list_index
- stream_num = avio_rl16(pb);
- name_len_utf16 = avio_rl16(pb);
- value_type = avio_rl16(pb); /* value_type */
- value_len = avio_rl32(pb);
+ stream_num = (uint16_t)avio_rl16(pb);
+ name_len_utf16 = (uint16_t)avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb); /* value_type */
+ value_len = avio_rl32(pb);
- if (value_len < 0 || value_len > UINT16_MAX)
- return AVERROR_INVALIDDATA;
-
- name_len_utf8 = 2*name_len_utf16 + 1;
- name = av_malloc(name_len_utf8);
+ name_len_utf8 = 2 * name_len_utf16 + 1;
+ name = av_malloc(name_len_utf8);
if (!name)
return AVERROR(ENOMEM);
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 04/11] libavformat/asfdec: fixing get_tag
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (2 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 03/11] libavformat/asfdec: fix type of value_len ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 05/11] libavformat/asfdec: implement parsing of GUID values ffmpegagent
` (7 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
These three are closely related and can't be separated easily:
In get_tag, the code was adding 22 bytes (in order to allow
it to hold 64bit numbers as string) to the value len for creating
creating a buffer. This was unnecessarily imposing a
size-constraint on the value_len parameter.
The code in get_tag, was limiting the maximum value_len to
half the size of INT32. This was applied for all value types, even
though it is required only in case of ASF_UNICODE, not for any
other ones (like ASCII).
get_tag was always allocating a buffer regardless of the
datatype, even though this isn't required in case of ASF_BYTE_ARRAY
The check for the return value from ff_asf_handle_byte_array()
being >0 is removed here because the log message is emitted
by the function itself now.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 29b429fee9..58c424b565 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -221,37 +221,63 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
- char *value = NULL;
int64_t off = avio_tell(s->pb);
-#define LEN 22
-
- av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
+ char *value = NULL;
+ uint64_t required_bufferlen;
+ int buffer_len;
if (!asf->export_xmp && !strncmp(key, "xmp", 3))
goto finish;
- value = av_malloc(2 * len + LEN);
+ switch (type) {
+ case ASF_UNICODE:
+ required_bufferlen = (uint64_t)len * 2 + 1;
+ break;
+ case -1: // ASCII
+ required_bufferlen = (uint64_t)len + 1;
+ break;
+ case ASF_BYTE_ARRAY:
+ ff_asf_handle_byte_array(s, key, len);
+ goto finish;
+ case ASF_BOOL:
+ case ASF_DWORD:
+ case ASF_QWORD:
+ case ASF_WORD:
+ required_bufferlen = 22;
+ break;
+ case ASF_GUID:
+ required_bufferlen = 33;
+ break;
+ default:
+ required_bufferlen = len;
+ break;
+ }
+
+ if (required_bufferlen > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle values > INT32_MAX in tag %s.\n", key);
+ goto finish;
+ }
+
+ buffer_len = (int)required_bufferlen;
+
+ value = av_malloc(buffer_len);
if (!value)
goto finish;
switch (type) {
case ASF_UNICODE:
- avio_get_str16le(s->pb, len, value, 2 * len + 1);
+ avio_get_str16le(s->pb, len, value, buffer_len);
break;
- case -1: // ASCI
- avio_read(s->pb, value, len);
- value[len]=0;
+ case -1: // ASCII
+ avio_read(s->pb, value, buffer_len - 1);
+ value[buffer_len - 1] = 0;
break;
- case ASF_BYTE_ARRAY:
- if (ff_asf_handle_byte_array(s, key, len) > 0)
- av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", key);
- goto finish;
case ASF_BOOL:
case ASF_DWORD:
case ASF_QWORD:
case ASF_WORD: {
uint64_t num = get_value(s->pb, type, type2_size);
- snprintf(value, LEN, "%"PRIu64, num);
+ snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
case ASF_GUID:
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 05/11] libavformat/asfdec: implement parsing of GUID values
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (3 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 04/11] libavformat/asfdec: fixing get_tag ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 06/11] libavformat/asfdec: remove unused parameters ffmpegagent
` (6 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 58c424b565..4c898ab3f2 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -280,9 +280,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len,
snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
- case ASF_GUID:
- av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
- goto finish;
+ case ASF_GUID: {
+ ff_asf_guid g;
+ ff_get_guid(s->pb, &g);
+ snprintf(value, buffer_len, "%x", g[0]);
+ break;
+ }
default:
av_log(s, AV_LOG_DEBUG,
"Unsupported value type %d in tag %s.\n", type, key);
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 06/11] libavformat/asfdec: remove unused parameters
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (4 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 05/11] libavformat/asfdec: implement parsing of GUID values ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 18:16 ` Soft Works
2021-12-22 15:13 ` [PATCH 07/11] libavformat/asfdec: fix macro definition and use ffmpegagent
` (5 subsequent siblings)
11 siblings, 1 reply; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 4c898ab3f2..e87c78cd6c 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -299,7 +299,7 @@ finish:
avio_seek(s->pb, off + len, SEEK_SET);
}
-static int asf_read_file_properties(AVFormatContext *s, int64_t size)
+static int asf_read_file_properties(AVFormatContext *s)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
@@ -494,7 +494,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_ext_stream_properties(AVFormatContext *s)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
@@ -554,7 +554,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_content_desc(AVFormatContext *s, int64_t size)
+static int asf_read_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
uint32_t len1, len2, len3, len4, len5;
@@ -573,7 +573,7 @@ static int asf_read_content_desc(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
+static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -619,7 +619,7 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_language_list(AVFormatContext *s, int64_t size)
+static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -639,7 +639,7 @@ static int asf_read_language_list(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_metadata(AVFormatContext *s, int64_t size)
+static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -693,7 +693,7 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_marker(AVFormatContext *s, int64_t size)
+static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -772,21 +772,21 @@ static int asf_read_header(AVFormatContext *s)
if (gsize < 24)
return AVERROR_INVALIDDATA;
if (!ff_guidcmp(&g, &ff_asf_file_header)) {
- ret = asf_read_file_properties(s, gsize);
+ ret = asf_read_file_properties(s);
} else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
ret = asf_read_stream_properties(s, gsize);
} else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
- asf_read_content_desc(s, gsize);
+ asf_read_content_desc(s);
} else if (!ff_guidcmp(&g, &ff_asf_language_guid)) {
- asf_read_language_list(s, gsize);
+ asf_read_language_list(s);
} else if (!ff_guidcmp(&g, &ff_asf_extended_content_header)) {
- asf_read_ext_content_desc(s, gsize);
+ asf_read_ext_content_desc(s);
} else if (!ff_guidcmp(&g, &ff_asf_metadata_header)) {
- asf_read_metadata(s, gsize);
+ asf_read_metadata(s);
} else if (!ff_guidcmp(&g, &ff_asf_metadata_library_header)) {
- asf_read_metadata(s, gsize);
+ asf_read_metadata(s);
} else if (!ff_guidcmp(&g, &ff_asf_ext_stream_header)) {
- asf_read_ext_stream_properties(s, gsize);
+ asf_read_ext_stream_properties(s);
// there could be an optional stream properties object to follow
// if so the next iteration will pick it up
@@ -796,7 +796,7 @@ static int asf_read_header(AVFormatContext *s)
avio_skip(pb, 6);
continue;
} else if (!ff_guidcmp(&g, &ff_asf_marker_header)) {
- asf_read_marker(s, gsize);
+ asf_read_marker(s);
} else if (avio_feof(pb)) {
return AVERROR_EOF;
} else {
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 07/11] libavformat/asfdec: fix macro definition and use
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (5 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 06/11] libavformat/asfdec: remove unused parameters ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 16:23 ` Soft Works
2021-12-22 15:13 ` [PATCH 08/11] libavformat/asfdec: remove variable redefinition in inner scope ffmpegagent
` (4 subsequent siblings)
11 siblings, 1 reply; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index e87c78cd6c..a7b5ffe465 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -896,21 +896,21 @@ static int asf_read_header(AVFormatContext *s)
}
#define DO_2BITS(bits, var, defval) \
- switch (bits & 3) { \
+ switch ((bits) & 3) { \
case 3: \
- var = avio_rl32(pb); \
+ (var) = avio_rl32(pb); \
rsize += 4; \
break; \
case 2: \
- var = avio_rl16(pb); \
+ (var) = avio_rl16(pb); \
rsize += 2; \
break; \
case 1: \
- var = avio_r8(pb); \
+ (var) = avio_r8(pb); \
rsize++; \
break; \
default: \
- var = defval; \
+ (var) = (defval); \
break; \
}
@@ -993,9 +993,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
asf->packet_flags = c;
asf->packet_property = d;
- DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
- DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
- DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
+ DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
+ DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
+ DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
// the following checks prevent overflows and infinite loops
if (!packet_length || packet_length >= (1U << 29)) {
@@ -1056,9 +1056,9 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
asf->stream_index = asf->asfid2avid[num & 0x7f];
asfst = &asf->streams[num & 0x7f];
// sequence should be ignored!
- DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
- DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
- DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
+ DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
+ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
+ DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d replic_size:%d num:%X packet_property %X\n",
asf->packet_key_frame, asf->stream_index, asf->packet_seq,
asf->packet_frag_offset, asf->packet_replic_size, num, asf->packet_property);
@@ -1134,7 +1134,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_flags & 0x01) {
- DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
+ DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) // 0 is illegal
if (rsize > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
return AVERROR_INVALIDDATA;
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 08/11] libavformat/asfdec: remove variable redefinition in inner scope
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (6 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 07/11] libavformat/asfdec: fix macro definition and use ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 09/11] libavformat/asfdec: ensure variables are initialized ffmpegagent
` (3 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a7b5ffe465..8283f245ab 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1181,7 +1181,7 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
return AVERROR_EOF;
if (asf->packet_size_left < FRAME_HEADER_SIZE ||
asf->packet_segments < 1 && asf->packet_time_start == 0) {
- int ret = asf->packet_size_left + asf->packet_padsize;
+ ret = asf->packet_size_left + asf->packet_padsize;
if (asf->packet_size_left && asf->packet_size_left < FRAME_HEADER_SIZE)
av_log(s, AV_LOG_WARNING, "Skip due to FRAME_HEADER_SIZE\n");
@@ -1250,7 +1250,6 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
if (asf_st->pkt.size != asf_st->packet_obj_size ||
// FIXME is this condition sufficient?
asf_st->frag_offset + asf->packet_frag_size > asf_st->pkt.size) {
- int ret;
if (asf_st->pkt.data) {
av_log(s, AV_LOG_INFO,
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 09/11] libavformat/asfdec: ensure variables are initialized
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (7 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 08/11] libavformat/asfdec: remove variable redefinition in inner scope ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() ffmpegagent
` (2 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 8283f245ab..024d77903b 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -968,6 +968,7 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
avio_seek(pb, -1, SEEK_CUR); // FIXME
}
} else {
+ d = e = 0;
c = avio_r8(pb);
if (c & 0x80) {
rsize ++;
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (8 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 09/11] libavformat/asfdec: ensure variables are initialized ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2021-12-22 15:13 ` [PATCH 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 024d77903b..b8140a6d57 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -323,7 +323,7 @@ static int asf_read_file_properties(AVFormatContext *s)
return 0;
}
-static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [PATCH 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (9 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() ffmpegagent
@ 2021-12-22 15:13 ` ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
11 siblings, 0 replies; 68+ messages in thread
From: ffmpegagent @ 2021-12-22 15:13 UTC (permalink / raw)
To: ffmpegdev; +Cc: softworkz, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 168 ++++++++++++++++++++++++++---------------
1 file changed, 108 insertions(+), 60 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index b8140a6d57..c7141f6da1 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -332,9 +332,9 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
ASFStream *asf_st;
ff_asf_guid g;
enum AVMediaType type;
- int type_specific_size, sizeX;
- unsigned int tag1;
- int64_t pos1, pos2, start_time;
+ unsigned int tag1, type_specific_size, sizeX;
+ int64_t pos1, pos2;
+ uint32_t start_time;
int test_for_ext_stream_audio, is_dvr_ms_audio = 0;
if (s->nb_streams == ASF_MAX_STREAMS) {
@@ -403,7 +403,14 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
st->codecpar->codec_type = type;
if (type == AVMEDIA_TYPE_AUDIO) {
- int ret = ff_get_wav_header(s, pb, st->codecpar, type_specific_size, 0);
+ int ret;
+
+ if (type_specific_size > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported WAV header size (> INT32_MAX)\n");
+ return AVERROR(ENOTSUP);
+ }
+
+ ret = ff_get_wav_header(s, pb, st->codecpar, (int)type_specific_size, 0);
if (ret < 0)
return ret;
if (is_dvr_ms_audio) {
@@ -433,21 +440,32 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
}
} else if (type == AVMEDIA_TYPE_VIDEO &&
size - (avio_tell(pb) - pos1 + 24) >= 51) {
+ unsigned int width, height;
avio_rl32(pb);
avio_rl32(pb);
avio_r8(pb);
avio_rl16(pb); /* size */
- sizeX = avio_rl32(pb); /* size */
- st->codecpar->width = avio_rl32(pb);
- st->codecpar->height = avio_rl32(pb);
+ sizeX = avio_rl32(pb); /* size */
+ width = avio_rl32(pb);
+ height = avio_rl32(pb);
+
+ if (width > INT32_MAX || height > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported video size %dx%d\n", width, height);
+ return AVERROR(ENOTSUP);
+ }
+
+ st->codecpar->width = (int)width;
+ st->codecpar->height = (int)height;
/* not available for asf */
avio_rl16(pb); /* panes */
st->codecpar->bits_per_coded_sample = avio_rl16(pb); /* depth */
tag1 = avio_rl32(pb);
avio_skip(pb, 20);
if (sizeX > 40) {
- if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
- return AVERROR_INVALIDDATA;
+ if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported extradata size\n");
+ return AVERROR(ENOTSUP);
+ }
st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40);
st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size +
AV_INPUT_BUFFER_PADDING_SIZE);
@@ -499,9 +517,9 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
ff_asf_guid g;
- int ext_len, payload_ext_ct, stream_ct, i;
- uint32_t leak_rate, stream_num;
- unsigned int stream_languageid_index;
+ uint16_t payload_ext_ct, stream_ct, i;
+ uint32_t leak_rate, ext_len;
+ uint16_t stream_languageid_index, stream_num;
avio_rl64(pb); // starttime
avio_rl64(pb); // endtime
@@ -513,15 +531,15 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
avio_rl32(pb); // alt-init-bucket-fullness
avio_rl32(pb); // max-object-size
avio_rl32(pb); // flags (reliable,seekable,no_cleanpoints?,resend-live-cleanpoints, rest of bits reserved)
- stream_num = avio_rl16(pb); // stream-num
+ stream_num = (uint16_t)avio_rl16(pb); // stream-num
- stream_languageid_index = avio_rl16(pb); // stream-language-id-index
+ stream_languageid_index = (uint16_t)avio_rl16(pb); // stream-language-id-index
if (stream_num < 128)
asf->streams[stream_num].stream_language_index = stream_languageid_index;
avio_rl64(pb); // avg frametime in 100ns units
- stream_ct = avio_rl16(pb); // stream-name-count
- payload_ext_ct = avio_rl16(pb); // payload-extension-system-count
+ stream_ct = (uint16_t)avio_rl16(pb); // stream-name-count
+ payload_ext_ct = (uint16_t)avio_rl16(pb); // payload-extension-system-count
if (stream_num < 128) {
asf->stream_bitrates[stream_num] = leak_rate;
@@ -535,12 +553,10 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
}
for (i = 0; i < payload_ext_ct; i++) {
- int size;
+ uint16_t size;
ff_get_guid(pb, &g);
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
ext_len = avio_rl32(pb);
- if (ext_len < 0)
- return AVERROR_INVALIDDATA;
avio_skip(pb, ext_len);
if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ -577,20 +593,21 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int desc_count, i, ret;
+ uint16_t desc_count, i;
+ int ret;
- desc_count = avio_rl16(pb);
+ desc_count = (uint16_t)avio_rl16(pb);
for (i = 0; i < desc_count; i++) {
- int name_len, value_type, value_len;
+ uint16_t name_len, value_type, value_len;
char name[1024];
- name_len = avio_rl16(pb);
+ name_len = (uint16_t)avio_rl16(pb);
if (name_len % 2) // must be even, broken lavf versions wrote len-1
name_len += 1;
if ((ret = avio_get_str16le(pb, name_len, name, sizeof(name))) < name_len)
avio_skip(pb, name_len - ret);
- value_type = avio_rl16(pb);
- value_len = avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb);
+ value_len = (uint16_t)avio_rl16(pb);
if (!value_type && value_len % 2)
value_len += 1;
/* My sample has that stream set to 0 maybe that mean the container.
@@ -623,14 +640,16 @@ static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int j, ret;
- int stream_count = avio_rl16(pb);
+ int ret;
+ uint16_t j;
+ const uint16_t stream_count = (uint16_t)avio_rl16(pb);
+
for (j = 0; j < stream_count; j++) {
char lang[6];
- unsigned int lang_len = avio_r8(pb);
+ const uint8_t lang_len = (uint8_t)avio_r8(pb);
if ((ret = avio_get_str16le(pb, lang_len, lang,
sizeof(lang))) < lang_len)
- avio_skip(pb, lang_len - ret);
+ avio_skip(pb, (int)lang_len - ret);
if (j < 128)
av_strlcpy(asf->stream_languages[j], lang,
sizeof(*asf->stream_languages));
@@ -643,14 +662,14 @@ static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int n, name_len_utf8;
- uint16_t stream_num, name_len_utf16, value_type;
+ int name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type, i, n;
uint32_t value_len;
- int ret, i;
- n = avio_rl16(pb);
+ int ret;
+ n = (uint16_t)avio_rl16(pb);
for (i = 0; i < n; i++) {
- uint8_t *name;
+ char *name;
avio_rl16(pb); // lang_list_index
stream_num = (uint16_t)avio_rl16(pb);
@@ -664,7 +683,7 @@ static int asf_read_metadata(AVFormatContext *s)
return AVERROR(ENOMEM);
if ((ret = avio_get_str16le(pb, name_len_utf16, name, name_len_utf8)) < name_len_utf16)
- avio_skip(pb, name_len_utf16 - ret);
+ avio_skip(pb, (int)name_len_utf16 - ret);
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
@@ -697,19 +716,21 @@ static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int i, count, name_len, ret;
+ int ret;
+ unsigned count, i;
+ uint16_t name_len;
char name[1024];
avio_rl64(pb); // reserved 16 bytes
avio_rl64(pb); // ...
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
- name_len = avio_rl16(pb); // name length
+ name_len = (uint16_t)avio_rl16(pb); // name length
avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
- int64_t pres_time;
- int name_len;
+ uint64_t pres_time;
+ unsigned name2_len;
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
@@ -720,13 +741,18 @@ static int asf_read_marker(AVFormatContext *s)
avio_rl16(pb); // entry length
avio_rl32(pb); // send time
avio_rl32(pb); // flags
- name_len = avio_rl32(pb); // name length
- if ((unsigned)name_len > INT_MAX / 2)
+ name2_len = avio_rl32(pb); // name length
+ if (name2_len > INT_MAX / 2)
return AVERROR_INVALIDDATA;
- if ((ret = avio_get_str16le(pb, name_len * 2, name,
- sizeof(name))) < name_len)
- avio_skip(pb, name_len - ret);
- avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, pres_time,
+ if ((ret = avio_get_str16le(pb, (int)name2_len, name,
+ sizeof(name))) < name2_len)
+ avio_skip(pb, name2_len - ret);
+
+ if (pres_time > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported presentation time value: %"PRIu64"\n", pres_time);
+ return AVERROR(ENOTSUP);
+ }
+ avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, (int64_t)pres_time,
AV_NOPTS_VALUE, name);
}
@@ -739,7 +765,7 @@ static int asf_read_header(AVFormatContext *s)
ff_asf_guid g;
AVIOContext *pb = s->pb;
int i;
- int64_t gsize;
+ uint64_t gsize;
ff_get_guid(pb, &g);
if (ff_guidcmp(&g, &ff_asf_header))
@@ -754,7 +780,7 @@ static int asf_read_header(AVFormatContext *s)
asf->streams[i].stream_language_index = 128; // invalid stream index means no language info
for (;;) {
- uint64_t gpos = avio_tell(pb);
+ const int64_t gpos = avio_tell(pb);
int ret = 0;
ff_get_guid(pb, &g);
gsize = avio_rl64(pb);
@@ -809,7 +835,12 @@ static int asf_read_header(AVFormatContext *s)
len= avio_rl32(pb);
av_log(s, AV_LOG_DEBUG, "Secret data:\n");
- if ((ret = av_get_packet(pb, pkt, len)) < 0)
+ if (len > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported encryption packet length: %d\n", len);
+ return AVERROR(ENOTSUP);
+ }
+
+ if ((ret = av_get_packet(pb, pkt, (int)len)) < 0)
return ret;
av_hex_dump_log(s, AV_LOG_DEBUG, pkt->data, pkt->size);
av_packet_unref(pkt);
@@ -923,7 +954,7 @@ static int asf_read_header(AVFormatContext *s)
static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
{
ASFContext *asf = s->priv_data;
- uint32_t packet_length, padsize;
+ uint32_t packet_length, packet_ts, padsize;
int rsize = 8;
int c, d, e, off;
@@ -1011,7 +1042,12 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
- asf->packet_timestamp = avio_rl32(pb);
+ packet_ts = avio_rl32(pb);
+ if (packet_ts > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_timestamp value: %d\n", packet_ts);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_timestamp = (int)packet_ts;
avio_rl16(pb); /* duration */
// rsize has at least 11 bytes which have to be present
@@ -1030,10 +1066,21 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
rsize, packet_length, padsize, avio_tell(pb));
return AVERROR_INVALIDDATA;
}
- asf->packet_size_left = packet_length - padsize - rsize;
+
+ if (packet_length - padsize - rsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_size_left value: %d\n", packet_length - padsize - rsize);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_size_left = (int)(packet_length - padsize - rsize);
+
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
- asf->packet_padsize = padsize;
+ if (padsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet padsize value: %d\n", padsize);
+ return AVERROR(ENOTSUP);
+ }
+
+ asf->packet_padsize = (int)padsize;
av_log(s, AV_LOG_TRACE, "packet: size=%d padsize=%d left=%d\n",
s->packet_size, asf->packet_padsize, asf->packet_size_left);
return 0;
@@ -1068,22 +1115,23 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_replic_size >= 8) {
- int64_t end = avio_tell(pb) + asf->packet_replic_size;
+ const int64_t end = avio_tell(pb) + asf->packet_replic_size;
AVRational aspect;
- asfst->packet_obj_size = avio_rl32(pb);
- if (asfst->packet_obj_size >= (1 << 24) || asfst->packet_obj_size < 0) {
+ const unsigned packet_obj_size = avio_rl32(pb);
+ if (packet_obj_size >= (1 << 24)) {
av_log(s, AV_LOG_ERROR, "packet_obj_size %d invalid\n", asfst->packet_obj_size);
asfst->packet_obj_size = 0;
return AVERROR_INVALIDDATA;
}
+ asfst->packet_obj_size = (int)packet_obj_size;
asf->packet_frag_timestamp = avio_rl32(pb); // timestamp
for (i = 0; i < asfst->payload_ext_ct; i++) {
ASFPayload *p = &asfst->payload[i];
- int size = p->size;
+ uint16_t size = p->size;
int64_t payend;
if (size == 0xFFFF)
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
payend = avio_tell(pb) + size;
if (payend > end) {
av_log(s, AV_LOG_ERROR, "too long payload\n");
@@ -1484,7 +1532,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
ASFStream *asf_st;
int64_t pts;
int64_t pos = *ppos;
- int i;
+ unsigned i;
int64_t start_pos[ASF_MAX_STREAMS];
for (i = 0; i < s->nb_streams; i++)
@@ -1541,7 +1589,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
int64_t ret;
if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) {
- return ret;
+ return (int)ret;
}
if ((ret = ff_get_guid(s->pb, &g)) < 0)
--
gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* RE: [PATCH 07/11] libavformat/asfdec: fix macro definition and use
2021-12-22 15:13 ` [PATCH 07/11] libavformat/asfdec: fix macro definition and use ffmpegagent
@ 2021-12-22 16:23 ` Soft Works
0 siblings, 0 replies; 68+ messages in thread
From: Soft Works @ 2021-12-22 16:23 UTC (permalink / raw)
To: ffmpegdev
> -----Original Message-----
> From: ffmpegagent <ffmpegagent@gmail.com>
> Sent: Wednesday, December 22, 2021 4:14 PM
> To: ffmpegdev@gitmailbox.com
> Cc: softworkz <softworkz@hotmail.com>; softworkz <softworkz@hotmail.com>
> Subject: [PATCH 07/11] libavformat/asfdec: fix macro definition and use
>
> From: softworkz <softworkz@hotmail.com>
>
> Signed-off-by: softworkz <softworkz@hotmail.com>
> ---
> libavformat/asfdec_f.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> index e87c78cd6c..a7b5ffe465 100644
> --- a/libavformat/asfdec_f.c
> +++ b/libavformat/asfdec_f.c
> @@ -896,21 +896,21 @@ static int asf_read_header(AVFormatContext *s)
> }
>
> #define DO_2BITS(bits, var, defval) \
> - switch (bits & 3) { \
> + switch ((bits) & 3) { \
> case 3: \
> - var = avio_rl32(pb); \
> + (var) = avio_rl32(pb); \
> rsize += 4; \
> break; \
> case 2: \
> - var = avio_rl16(pb); \
> + (var) = avio_rl16(pb); \
> rsize += 2; \
> break; \
> case 1: \
> - var = avio_r8(pb); \
> + (var) = avio_r8(pb); \
> rsize++; \
> break; \
> default: \
> - var = defval; \
> + (var) = (defval); \
> break; \
> }
>
> @@ -993,9 +993,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext
> *pb)
> asf->packet_flags = c;
> asf->packet_property = d;
>
> - DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
> - DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
> - DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
> + DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
> + DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
> + DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
>
> // the following checks prevent overflows and infinite loops
> if (!packet_length || packet_length >= (1U << 29)) {
> @@ -1056,9 +1056,9 @@ static int asf_read_frame_header(AVFormatContext *s,
> AVIOContext *pb)
> asf->stream_index = asf->asfid2avid[num & 0x7f];
> asfst = &asf->streams[num & 0x7f];
> // sequence should be ignored!
> - DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
> - DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
> - DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
> + DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
> + DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
Here's another comment.
> + DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
> av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d
> replic_size:%d num:%X packet_property %X\n",
> asf->packet_key_frame, asf->stream_index, asf->packet_seq,
> asf->packet_frag_offset, asf->packet_replic_size, num, asf-
> >packet_property);
> @@ -1134,7 +1134,7 @@ static int asf_read_frame_header(AVFormatContext *s,
> AVIOContext *pb)
> return AVERROR_INVALIDDATA;
> }
> if (asf->packet_flags & 0x01) {
> - DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); //
> 0 is illegal
> + DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) //
> 0 is illegal
> if (rsize > asf->packet_size_left) {
> av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
> return AVERROR_INVALIDDATA;
> --
> gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* RE: [PATCH 06/11] libavformat/asfdec: remove unused parameters
2021-12-22 15:13 ` [PATCH 06/11] libavformat/asfdec: remove unused parameters ffmpegagent
@ 2021-12-22 18:16 ` Soft Works
0 siblings, 0 replies; 68+ messages in thread
From: Soft Works @ 2021-12-22 18:16 UTC (permalink / raw)
To: ffmpegdev
> -----Original Message-----
> From: ffmpegagent <ffmpegagent@gmail.com>
> Sent: Wednesday, December 22, 2021 4:14 PM
> To: ffmpegdev@gitmailbox.com
> Cc: softworkz <softworkz@hotmail.com>; softworkz <softworkz@hotmail.com>
> Subject: [PATCH 06/11] libavformat/asfdec: remove unused parameters
>
> From: softworkz <softworkz@hotmail.com>
>
> Signed-off-by: softworkz <softworkz@hotmail.com>
> ---
> libavformat/asfdec_f.c | 30 +++++++++++++++---------------
> 1 file changed, 15 insertions(+), 15 deletions(-)
>
> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> index 4c898ab3f2..e87c78cd6c 100644
> --- a/libavformat/asfdec_f.c
> +++ b/libavformat/asfdec_f.c
> @@ -299,7 +299,7 @@ finish:
> avio_seek(s->pb, off + len, SEEK_SET);
> }
>
> -static int asf_read_file_properties(AVFormatContext *s, int64_t size)
> +static int asf_read_file_properties(AVFormatContext *s)
> {
> ASFContext *asf = s->priv_data;
> AVIOContext *pb = s->pb;
> @@ -494,7 +494,7 @@ static int asf_read_stream_properties(AVFormatContext *s,
> int64_t size)
> return 0;
> }
>
> -static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
> +static int asf_read_ext_stream_properties(AVFormatContext *s)
> {
> ASFContext *asf = s->priv_data;
> AVIOContext *pb = s->pb;
> @@ -554,7 +554,7 @@ static int asf_read_ext_stream_properties(AVFormatContext
> *s, int64_t size)
> return 0;
> }
>
> -static int asf_read_content_desc(AVFormatContext *s, int64_t size)
> +static int asf_read_content_desc(AVFormatContext *s)
> {
> AVIOContext *pb = s->pb;
> uint32_t len1, len2, len3, len4, len5;
> @@ -573,7 +573,7 @@ static int asf_read_content_desc(AVFormatContext *s,
> int64_t size)
> return 0;
> }
>
> -static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
> +static int asf_read_ext_content_desc(AVFormatContext *s)
> {
> AVIOContext *pb = s->pb;
> ASFContext *asf = s->priv_data;
> @@ -619,7 +619,7 @@ static int asf_read_ext_content_desc(AVFormatContext *s,
> int64_t size)
> return 0;
> }
>
> -static int asf_read_language_list(AVFormatContext *s, int64_t size)
> +static int asf_read_language_list(AVFormatContext *s)
> {
> AVIOContext *pb = s->pb;
> ASFContext *asf = s->priv_data;
> @@ -639,7 +639,7 @@ static int asf_read_language_list(AVFormatContext *s,
> int64_t size)
> return 0;
> }
>
> -static int asf_read_metadata(AVFormatContext *s, int64_t size)
> +static int asf_read_metadata(AVFormatContext *s)
> {
> AVIOContext *pb = s->pb;
> ASFContext *asf = s->priv_data;
> @@ -693,7 +693,7 @@ static int asf_read_metadata(AVFormatContext *s, int64_t
> size)
> return 0;
> }
>
> -static int asf_read_marker(AVFormatContext *s, int64_t size)
> +static int asf_read_marker(AVFormatContext *s)
> {
> AVIOContext *pb = s->pb;
> ASFContext *asf = s->priv_data;
> @@ -772,21 +772,21 @@ static int asf_read_header(AVFormatContext *s)
> if (gsize < 24)
> return AVERROR_INVALIDDATA;
> if (!ff_guidcmp(&g, &ff_asf_file_header)) {
> - ret = asf_read_file_properties(s, gsize);
> + ret = asf_read_file_properties(s);
> } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
> ret = asf_read_stream_properties(s, gsize);
> } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
> - asf_read_content_desc(s, gsize);
> + asf_read_content_desc(s);
This is a test comment.
> } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) {
> - asf_read_language_list(s, gsize);
> + asf_read_language_list(s);
> } else if (!ff_guidcmp(&g, &ff_asf_extended_content_header)) {
> - asf_read_ext_content_desc(s, gsize);
> + asf_read_ext_content_desc(s);
> } else if (!ff_guidcmp(&g, &ff_asf_metadata_header)) {
> - asf_read_metadata(s, gsize);
> + asf_read_metadata(s);
> } else if (!ff_guidcmp(&g, &ff_asf_metadata_library_header)) {
> - asf_read_metadata(s, gsize);
> + asf_read_metadata(s);
> } else if (!ff_guidcmp(&g, &ff_asf_ext_stream_header)) {
> - asf_read_ext_stream_properties(s, gsize);
> + asf_read_ext_stream_properties(s);
>
> // there could be an optional stream properties object to follow
> // if so the next iteration will pick it up
> @@ -796,7 +796,7 @@ static int asf_read_header(AVFormatContext *s)
> avio_skip(pb, 6);
> continue;
> } else if (!ff_guidcmp(&g, &ff_asf_marker_header)) {
> - asf_read_marker(s, gsize);
> + asf_read_marker(s);
> } else if (avio_feof(pb)) {
> return AVERROR_EOF;
> } else {
> --
> gitgitgadget
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (10 preceding siblings ...)
2021-12-22 15:13 ` [PATCH 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values ffmpegagent
@ 2022-05-07 9:36 ` ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 01/11] " softworkz
` (11 more replies)
11 siblings, 12 replies; 68+ messages in thread
From: ffmpegagent @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
The spec allows attachment sizes of up to UINT32_MAX while we can handle
only sizes up to INT32_MAX (in downstream code)
The debug.assert in get_tag didn't really address this, and truncating the
value_len in calling methods cannot be used because the length value is
required in order to continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
v2: Rebased & PING
softworkz (11):
libavformat/asf: fix handling of byte array length values
libavformat/asfdec: fix get_value return type and add checks for
libavformat/asfdec: fix type of value_len
libavformat/asfdec: fixing get_tag
libavformat/asfdec: implement parsing of GUID values
libavformat/asfdec: remove unused parameters
libavformat/asfdec: fix macro definition and use
libavformat/asfdec: remove variable redefinition in inner scope
libavformat/asfdec: ensure variables are initialized
libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
libavformat/asfdec: fix variable types and add checks for unsupported
values
libavformat/asf.c | 12 +-
libavformat/asf.h | 2 +-
libavformat/asfdec_f.c | 349 ++++++++++++++++++++++++++---------------
3 files changed, 232 insertions(+), 131 deletions(-)
base-commit: f3b7ba21ba49b32b4476a8c7c5a9bcdad15e3943
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-12%2Fsoftworkz%2Fmaster-upstream_asf_4-v2
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-12/softworkz/master-upstream_asf_4-v2
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/12
Range-diff vs v1:
1: 1e8c0fa058 = 1: 0056a93a34 libavformat/asf: fix handling of byte array length values
2: b5be0046e9 = 2: a35b7c87d4 libavformat/asfdec: fix get_value return type and add checks for
3: c8119dad11 = 3: b8039dc4cf libavformat/asfdec: fix type of value_len
4: 3528d46886 = 4: 6e19df6e89 libavformat/asfdec: fixing get_tag
5: dc5a56662c = 5: 0f3c417efe libavformat/asfdec: implement parsing of GUID values
6: 9988ecc6d2 = 6: 3bee11e40f libavformat/asfdec: remove unused parameters
7: 3b5695c25b = 7: ca9bbc79de libavformat/asfdec: fix macro definition and use
8: f1af8c82fc = 8: 238290bbce libavformat/asfdec: remove variable redefinition in inner scope
9: 2214e02e7e = 9: 654e44d526 libavformat/asfdec: ensure variables are initialized
10: b60e0bcc29 = 10: d461f039d2 libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
11: da268b909b = 11: f606f322bb libavformat/asfdec: fix variable types and add checks for unsupported values
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 01/11] libavformat/asf: fix handling of byte array length values
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
@ 2022-05-07 9:36 ` softworkz
2022-05-07 18:48 ` Michael Niedermayer
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
` (10 subsequent siblings)
11 siblings, 1 reply; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
The spec allows attachment sizes of up to UINT32_MAX while
we can handle only sizes up to INT32_MAX (in downstream
code)
The debug.assert in get_tag didn't really address this,
and truncating the value_len in calling methods cannot
be used because the length value is required in order to
continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asf.c | 12 +++++++++---
libavformat/asf.h | 2 +-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/libavformat/asf.c b/libavformat/asf.c
index 1ac8b5f078..179b66a2b4 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
}
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len)
+ uint32_t val_len)
{
+ if (val_len > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
+ return 1;
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
- return asf_read_picture(s, val_len);
+ return asf_read_picture(s, (int)val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
- return get_id3_tag(s, val_len);
+ return get_id3_tag(s, (int)val_len);
+ av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
return 1;
}
diff --git a/libavformat/asf.h b/libavformat/asf.h
index 01cc4f7a46..4d28560f56 100644
--- a/libavformat/asf.h
+++ b/libavformat/asf.h
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
* is unsupported by this function and 0 otherwise.
*/
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len);
+ uint32_t val_len);
#define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 01/11] " softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 18:57 ` Michael Niedermayer
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len softworkz
` (9 subsequent siblings)
11 siblings, 1 reply; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
unsupported values
get_value had a return type of int, which means that reading
QWORDS (case 4) was broken due to truncation of the result from
avio_rl64().
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a8f36ed286..d31e1d581d 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -202,7 +202,7 @@ static int asf_probe(const AVProbeData *pd)
/* size of type 2 (BOOL) is 32bit for "Extended Content Description Object"
* but 16 bit for "Metadata Object" and "Metadata Library Object" */
-static int get_value(AVIOContext *pb, int type, int type2_size)
+static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
{
switch (type) {
case ASF_BOOL:
@@ -567,10 +567,22 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
* since it's unused. */
- if (!strcmp(name, "AspectRatioX"))
- asf->dar[0].num = get_value(s->pb, value_type, 32);
- else if (!strcmp(name, "AspectRatioY"))
- asf->dar[0].den = get_value(s->pb, value_type, 32);
+ if (!strcmp(name, "AspectRatioX")) {
+ const uint64_t value = get_value(s->pb, value_type, 32);
+ if (value > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", value);
+ return AVERROR(ENOTSUP);
+ }
+ asf->dar[0].num = (int)value;
+ }
+ else if (!strcmp(name, "AspectRatioY")) {
+ const uint64_t value = get_value(s->pb, value_type, 32);
+ if (value > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", value);
+ return AVERROR(ENOTSUP);
+ }
+ asf->dar[0].den = (int)value;
+ }
else
get_tag(s, name, value_type, value_len, 32);
}
@@ -630,13 +642,21 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
i, stream_num, name_len_utf16, value_type, value_len, name);
if (!strcmp(name, "AspectRatioX")){
- int aspect_x = get_value(s->pb, value_type, 16);
+ const uint64_t aspect_x = get_value(s->pb, value_type, 16);
+ if (aspect_x > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", aspect_x);
+ return AVERROR(ENOTSUP);
+ }
if(stream_num < 128)
- asf->dar[stream_num].num = aspect_x;
+ asf->dar[stream_num].num = (int)aspect_x;
} else if(!strcmp(name, "AspectRatioY")){
- int aspect_y = get_value(s->pb, value_type, 16);
+ const uint64_t aspect_y = get_value(s->pb, value_type, 16);
+ if (aspect_y > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", aspect_y);
+ return AVERROR(ENOTSUP);
+ }
if(stream_num < 128)
- asf->dar[stream_num].den = aspect_y;
+ asf->dar[stream_num].den = (int)aspect_y;
} else {
get_tag(s, name, value_type, value_len, 16);
}
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 01/11] " softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 04/11] libavformat/asfdec: fixing get_tag softworkz
` (8 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index d31e1d581d..29b429fee9 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
}
}
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
char *value = NULL;
@@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
static int asf_read_content_desc(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
- int len1, len2, len3, len4, len5;
+ uint32_t len1, len2, len3, len4, len5;
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
@@ -614,25 +614,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int n, name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type;
+ uint32_t value_len;
int ret, i;
n = avio_rl16(pb);
for (i = 0; i < n; i++) {
uint8_t *name;
- int value_type;
avio_rl16(pb); // lang_list_index
- stream_num = avio_rl16(pb);
- name_len_utf16 = avio_rl16(pb);
- value_type = avio_rl16(pb); /* value_type */
- value_len = avio_rl32(pb);
+ stream_num = (uint16_t)avio_rl16(pb);
+ name_len_utf16 = (uint16_t)avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb); /* value_type */
+ value_len = avio_rl32(pb);
- if (value_len < 0 || value_len > UINT16_MAX)
- return AVERROR_INVALIDDATA;
-
- name_len_utf8 = 2*name_len_utf16 + 1;
- name = av_malloc(name_len_utf8);
+ name_len_utf8 = 2 * name_len_utf16 + 1;
+ name = av_malloc(name_len_utf8);
if (!name)
return AVERROR(ENOMEM);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 04/11] libavformat/asfdec: fixing get_tag
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (2 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
` (7 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
These three are closely related and can't be separated easily:
In get_tag, the code was adding 22 bytes (in order to allow
it to hold 64bit numbers as string) to the value len for creating
creating a buffer. This was unnecessarily imposing a
size-constraint on the value_len parameter.
The code in get_tag, was limiting the maximum value_len to
half the size of INT32. This was applied for all value types, even
though it is required only in case of ASF_UNICODE, not for any
other ones (like ASCII).
get_tag was always allocating a buffer regardless of the
datatype, even though this isn't required in case of ASF_BYTE_ARRAY
The check for the return value from ff_asf_handle_byte_array()
being >0 is removed here because the log message is emitted
by the function itself now.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 29b429fee9..58c424b565 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -221,37 +221,63 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
- char *value = NULL;
int64_t off = avio_tell(s->pb);
-#define LEN 22
-
- av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
+ char *value = NULL;
+ uint64_t required_bufferlen;
+ int buffer_len;
if (!asf->export_xmp && !strncmp(key, "xmp", 3))
goto finish;
- value = av_malloc(2 * len + LEN);
+ switch (type) {
+ case ASF_UNICODE:
+ required_bufferlen = (uint64_t)len * 2 + 1;
+ break;
+ case -1: // ASCII
+ required_bufferlen = (uint64_t)len + 1;
+ break;
+ case ASF_BYTE_ARRAY:
+ ff_asf_handle_byte_array(s, key, len);
+ goto finish;
+ case ASF_BOOL:
+ case ASF_DWORD:
+ case ASF_QWORD:
+ case ASF_WORD:
+ required_bufferlen = 22;
+ break;
+ case ASF_GUID:
+ required_bufferlen = 33;
+ break;
+ default:
+ required_bufferlen = len;
+ break;
+ }
+
+ if (required_bufferlen > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle values > INT32_MAX in tag %s.\n", key);
+ goto finish;
+ }
+
+ buffer_len = (int)required_bufferlen;
+
+ value = av_malloc(buffer_len);
if (!value)
goto finish;
switch (type) {
case ASF_UNICODE:
- avio_get_str16le(s->pb, len, value, 2 * len + 1);
+ avio_get_str16le(s->pb, len, value, buffer_len);
break;
- case -1: // ASCI
- avio_read(s->pb, value, len);
- value[len]=0;
+ case -1: // ASCII
+ avio_read(s->pb, value, buffer_len - 1);
+ value[buffer_len - 1] = 0;
break;
- case ASF_BYTE_ARRAY:
- if (ff_asf_handle_byte_array(s, key, len) > 0)
- av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", key);
- goto finish;
case ASF_BOOL:
case ASF_DWORD:
case ASF_QWORD:
case ASF_WORD: {
uint64_t num = get_value(s->pb, type, type2_size);
- snprintf(value, LEN, "%"PRIu64, num);
+ snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
case ASF_GUID:
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 05/11] libavformat/asfdec: implement parsing of GUID values
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (3 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 04/11] libavformat/asfdec: fixing get_tag softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 06/11] libavformat/asfdec: remove unused parameters softworkz
` (6 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 58c424b565..4c898ab3f2 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -280,9 +280,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len,
snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
- case ASF_GUID:
- av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
- goto finish;
+ case ASF_GUID: {
+ ff_asf_guid g;
+ ff_get_guid(s->pb, &g);
+ snprintf(value, buffer_len, "%x", g[0]);
+ break;
+ }
default:
av_log(s, AV_LOG_DEBUG,
"Unsupported value type %d in tag %s.\n", type, key);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 06/11] libavformat/asfdec: remove unused parameters
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (4 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 07/11] libavformat/asfdec: fix macro definition and use softworkz
` (5 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 4c898ab3f2..e87c78cd6c 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -299,7 +299,7 @@ finish:
avio_seek(s->pb, off + len, SEEK_SET);
}
-static int asf_read_file_properties(AVFormatContext *s, int64_t size)
+static int asf_read_file_properties(AVFormatContext *s)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
@@ -494,7 +494,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_ext_stream_properties(AVFormatContext *s)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
@@ -554,7 +554,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_content_desc(AVFormatContext *s, int64_t size)
+static int asf_read_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
uint32_t len1, len2, len3, len4, len5;
@@ -573,7 +573,7 @@ static int asf_read_content_desc(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
+static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -619,7 +619,7 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_language_list(AVFormatContext *s, int64_t size)
+static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -639,7 +639,7 @@ static int asf_read_language_list(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_metadata(AVFormatContext *s, int64_t size)
+static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -693,7 +693,7 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_marker(AVFormatContext *s, int64_t size)
+static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -772,21 +772,21 @@ static int asf_read_header(AVFormatContext *s)
if (gsize < 24)
return AVERROR_INVALIDDATA;
if (!ff_guidcmp(&g, &ff_asf_file_header)) {
- ret = asf_read_file_properties(s, gsize);
+ ret = asf_read_file_properties(s);
} else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
ret = asf_read_stream_properties(s, gsize);
} else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
- asf_read_content_desc(s, gsize);
+ asf_read_content_desc(s);
} else if (!ff_guidcmp(&g, &ff_asf_language_guid)) {
- asf_read_language_list(s, gsize);
+ asf_read_language_list(s);
} else if (!ff_guidcmp(&g, &ff_asf_extended_content_header)) {
- asf_read_ext_content_desc(s, gsize);
+ asf_read_ext_content_desc(s);
} else if (!ff_guidcmp(&g, &ff_asf_metadata_header)) {
- asf_read_metadata(s, gsize);
+ asf_read_metadata(s);
} else if (!ff_guidcmp(&g, &ff_asf_metadata_library_header)) {
- asf_read_metadata(s, gsize);
+ asf_read_metadata(s);
} else if (!ff_guidcmp(&g, &ff_asf_ext_stream_header)) {
- asf_read_ext_stream_properties(s, gsize);
+ asf_read_ext_stream_properties(s);
// there could be an optional stream properties object to follow
// if so the next iteration will pick it up
@@ -796,7 +796,7 @@ static int asf_read_header(AVFormatContext *s)
avio_skip(pb, 6);
continue;
} else if (!ff_guidcmp(&g, &ff_asf_marker_header)) {
- asf_read_marker(s, gsize);
+ asf_read_marker(s);
} else if (avio_feof(pb)) {
return AVERROR_EOF;
} else {
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 07/11] libavformat/asfdec: fix macro definition and use
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (5 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 06/11] libavformat/asfdec: remove unused parameters softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
` (4 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index e87c78cd6c..a7b5ffe465 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -896,21 +896,21 @@ static int asf_read_header(AVFormatContext *s)
}
#define DO_2BITS(bits, var, defval) \
- switch (bits & 3) { \
+ switch ((bits) & 3) { \
case 3: \
- var = avio_rl32(pb); \
+ (var) = avio_rl32(pb); \
rsize += 4; \
break; \
case 2: \
- var = avio_rl16(pb); \
+ (var) = avio_rl16(pb); \
rsize += 2; \
break; \
case 1: \
- var = avio_r8(pb); \
+ (var) = avio_r8(pb); \
rsize++; \
break; \
default: \
- var = defval; \
+ (var) = (defval); \
break; \
}
@@ -993,9 +993,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
asf->packet_flags = c;
asf->packet_property = d;
- DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
- DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
- DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
+ DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
+ DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
+ DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
// the following checks prevent overflows and infinite loops
if (!packet_length || packet_length >= (1U << 29)) {
@@ -1056,9 +1056,9 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
asf->stream_index = asf->asfid2avid[num & 0x7f];
asfst = &asf->streams[num & 0x7f];
// sequence should be ignored!
- DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
- DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
- DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
+ DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
+ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
+ DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d replic_size:%d num:%X packet_property %X\n",
asf->packet_key_frame, asf->stream_index, asf->packet_seq,
asf->packet_frag_offset, asf->packet_replic_size, num, asf->packet_property);
@@ -1134,7 +1134,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_flags & 0x01) {
- DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
+ DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) // 0 is illegal
if (rsize > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
return AVERROR_INVALIDDATA;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 08/11] libavformat/asfdec: remove variable redefinition in inner scope
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (6 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 07/11] libavformat/asfdec: fix macro definition and use softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 09/11] libavformat/asfdec: ensure variables are initialized softworkz
` (3 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a7b5ffe465..8283f245ab 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1181,7 +1181,7 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
return AVERROR_EOF;
if (asf->packet_size_left < FRAME_HEADER_SIZE ||
asf->packet_segments < 1 && asf->packet_time_start == 0) {
- int ret = asf->packet_size_left + asf->packet_padsize;
+ ret = asf->packet_size_left + asf->packet_padsize;
if (asf->packet_size_left && asf->packet_size_left < FRAME_HEADER_SIZE)
av_log(s, AV_LOG_WARNING, "Skip due to FRAME_HEADER_SIZE\n");
@@ -1250,7 +1250,6 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
if (asf_st->pkt.size != asf_st->packet_obj_size ||
// FIXME is this condition sufficient?
asf_st->frag_offset + asf->packet_frag_size > asf_st->pkt.size) {
- int ret;
if (asf_st->pkt.data) {
av_log(s, AV_LOG_INFO,
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 09/11] libavformat/asfdec: ensure variables are initialized
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (7 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
` (2 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 8283f245ab..024d77903b 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -968,6 +968,7 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
avio_seek(pb, -1, SEEK_CUR); // FIXME
}
} else {
+ d = e = 0;
c = avio_r8(pb);
if (c & 0x80) {
rsize ++;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (8 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 09/11] libavformat/asfdec: ensure variables are initialized softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 024d77903b..b8140a6d57 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -323,7 +323,7 @@ static int asf_read_file_properties(AVFormatContext *s)
return 0;
}
-static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v2 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (9 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
@ 2022-05-07 9:36 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-07 9:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 168 ++++++++++++++++++++++++++---------------
1 file changed, 108 insertions(+), 60 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index b8140a6d57..c7141f6da1 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -332,9 +332,9 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
ASFStream *asf_st;
ff_asf_guid g;
enum AVMediaType type;
- int type_specific_size, sizeX;
- unsigned int tag1;
- int64_t pos1, pos2, start_time;
+ unsigned int tag1, type_specific_size, sizeX;
+ int64_t pos1, pos2;
+ uint32_t start_time;
int test_for_ext_stream_audio, is_dvr_ms_audio = 0;
if (s->nb_streams == ASF_MAX_STREAMS) {
@@ -403,7 +403,14 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
st->codecpar->codec_type = type;
if (type == AVMEDIA_TYPE_AUDIO) {
- int ret = ff_get_wav_header(s, pb, st->codecpar, type_specific_size, 0);
+ int ret;
+
+ if (type_specific_size > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported WAV header size (> INT32_MAX)\n");
+ return AVERROR(ENOTSUP);
+ }
+
+ ret = ff_get_wav_header(s, pb, st->codecpar, (int)type_specific_size, 0);
if (ret < 0)
return ret;
if (is_dvr_ms_audio) {
@@ -433,21 +440,32 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
}
} else if (type == AVMEDIA_TYPE_VIDEO &&
size - (avio_tell(pb) - pos1 + 24) >= 51) {
+ unsigned int width, height;
avio_rl32(pb);
avio_rl32(pb);
avio_r8(pb);
avio_rl16(pb); /* size */
- sizeX = avio_rl32(pb); /* size */
- st->codecpar->width = avio_rl32(pb);
- st->codecpar->height = avio_rl32(pb);
+ sizeX = avio_rl32(pb); /* size */
+ width = avio_rl32(pb);
+ height = avio_rl32(pb);
+
+ if (width > INT32_MAX || height > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported video size %dx%d\n", width, height);
+ return AVERROR(ENOTSUP);
+ }
+
+ st->codecpar->width = (int)width;
+ st->codecpar->height = (int)height;
/* not available for asf */
avio_rl16(pb); /* panes */
st->codecpar->bits_per_coded_sample = avio_rl16(pb); /* depth */
tag1 = avio_rl32(pb);
avio_skip(pb, 20);
if (sizeX > 40) {
- if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
- return AVERROR_INVALIDDATA;
+ if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported extradata size\n");
+ return AVERROR(ENOTSUP);
+ }
st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40);
st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size +
AV_INPUT_BUFFER_PADDING_SIZE);
@@ -499,9 +517,9 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
ff_asf_guid g;
- int ext_len, payload_ext_ct, stream_ct, i;
- uint32_t leak_rate, stream_num;
- unsigned int stream_languageid_index;
+ uint16_t payload_ext_ct, stream_ct, i;
+ uint32_t leak_rate, ext_len;
+ uint16_t stream_languageid_index, stream_num;
avio_rl64(pb); // starttime
avio_rl64(pb); // endtime
@@ -513,15 +531,15 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
avio_rl32(pb); // alt-init-bucket-fullness
avio_rl32(pb); // max-object-size
avio_rl32(pb); // flags (reliable,seekable,no_cleanpoints?,resend-live-cleanpoints, rest of bits reserved)
- stream_num = avio_rl16(pb); // stream-num
+ stream_num = (uint16_t)avio_rl16(pb); // stream-num
- stream_languageid_index = avio_rl16(pb); // stream-language-id-index
+ stream_languageid_index = (uint16_t)avio_rl16(pb); // stream-language-id-index
if (stream_num < 128)
asf->streams[stream_num].stream_language_index = stream_languageid_index;
avio_rl64(pb); // avg frametime in 100ns units
- stream_ct = avio_rl16(pb); // stream-name-count
- payload_ext_ct = avio_rl16(pb); // payload-extension-system-count
+ stream_ct = (uint16_t)avio_rl16(pb); // stream-name-count
+ payload_ext_ct = (uint16_t)avio_rl16(pb); // payload-extension-system-count
if (stream_num < 128) {
asf->stream_bitrates[stream_num] = leak_rate;
@@ -535,12 +553,10 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
}
for (i = 0; i < payload_ext_ct; i++) {
- int size;
+ uint16_t size;
ff_get_guid(pb, &g);
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
ext_len = avio_rl32(pb);
- if (ext_len < 0)
- return AVERROR_INVALIDDATA;
avio_skip(pb, ext_len);
if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ -577,20 +593,21 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int desc_count, i, ret;
+ uint16_t desc_count, i;
+ int ret;
- desc_count = avio_rl16(pb);
+ desc_count = (uint16_t)avio_rl16(pb);
for (i = 0; i < desc_count; i++) {
- int name_len, value_type, value_len;
+ uint16_t name_len, value_type, value_len;
char name[1024];
- name_len = avio_rl16(pb);
+ name_len = (uint16_t)avio_rl16(pb);
if (name_len % 2) // must be even, broken lavf versions wrote len-1
name_len += 1;
if ((ret = avio_get_str16le(pb, name_len, name, sizeof(name))) < name_len)
avio_skip(pb, name_len - ret);
- value_type = avio_rl16(pb);
- value_len = avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb);
+ value_len = (uint16_t)avio_rl16(pb);
if (!value_type && value_len % 2)
value_len += 1;
/* My sample has that stream set to 0 maybe that mean the container.
@@ -623,14 +640,16 @@ static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int j, ret;
- int stream_count = avio_rl16(pb);
+ int ret;
+ uint16_t j;
+ const uint16_t stream_count = (uint16_t)avio_rl16(pb);
+
for (j = 0; j < stream_count; j++) {
char lang[6];
- unsigned int lang_len = avio_r8(pb);
+ const uint8_t lang_len = (uint8_t)avio_r8(pb);
if ((ret = avio_get_str16le(pb, lang_len, lang,
sizeof(lang))) < lang_len)
- avio_skip(pb, lang_len - ret);
+ avio_skip(pb, (int)lang_len - ret);
if (j < 128)
av_strlcpy(asf->stream_languages[j], lang,
sizeof(*asf->stream_languages));
@@ -643,14 +662,14 @@ static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int n, name_len_utf8;
- uint16_t stream_num, name_len_utf16, value_type;
+ int name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type, i, n;
uint32_t value_len;
- int ret, i;
- n = avio_rl16(pb);
+ int ret;
+ n = (uint16_t)avio_rl16(pb);
for (i = 0; i < n; i++) {
- uint8_t *name;
+ char *name;
avio_rl16(pb); // lang_list_index
stream_num = (uint16_t)avio_rl16(pb);
@@ -664,7 +683,7 @@ static int asf_read_metadata(AVFormatContext *s)
return AVERROR(ENOMEM);
if ((ret = avio_get_str16le(pb, name_len_utf16, name, name_len_utf8)) < name_len_utf16)
- avio_skip(pb, name_len_utf16 - ret);
+ avio_skip(pb, (int)name_len_utf16 - ret);
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
@@ -697,19 +716,21 @@ static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int i, count, name_len, ret;
+ int ret;
+ unsigned count, i;
+ uint16_t name_len;
char name[1024];
avio_rl64(pb); // reserved 16 bytes
avio_rl64(pb); // ...
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
- name_len = avio_rl16(pb); // name length
+ name_len = (uint16_t)avio_rl16(pb); // name length
avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
- int64_t pres_time;
- int name_len;
+ uint64_t pres_time;
+ unsigned name2_len;
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
@@ -720,13 +741,18 @@ static int asf_read_marker(AVFormatContext *s)
avio_rl16(pb); // entry length
avio_rl32(pb); // send time
avio_rl32(pb); // flags
- name_len = avio_rl32(pb); // name length
- if ((unsigned)name_len > INT_MAX / 2)
+ name2_len = avio_rl32(pb); // name length
+ if (name2_len > INT_MAX / 2)
return AVERROR_INVALIDDATA;
- if ((ret = avio_get_str16le(pb, name_len * 2, name,
- sizeof(name))) < name_len)
- avio_skip(pb, name_len - ret);
- avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, pres_time,
+ if ((ret = avio_get_str16le(pb, (int)name2_len, name,
+ sizeof(name))) < name2_len)
+ avio_skip(pb, name2_len - ret);
+
+ if (pres_time > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported presentation time value: %"PRIu64"\n", pres_time);
+ return AVERROR(ENOTSUP);
+ }
+ avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, (int64_t)pres_time,
AV_NOPTS_VALUE, name);
}
@@ -739,7 +765,7 @@ static int asf_read_header(AVFormatContext *s)
ff_asf_guid g;
AVIOContext *pb = s->pb;
int i;
- int64_t gsize;
+ uint64_t gsize;
ff_get_guid(pb, &g);
if (ff_guidcmp(&g, &ff_asf_header))
@@ -754,7 +780,7 @@ static int asf_read_header(AVFormatContext *s)
asf->streams[i].stream_language_index = 128; // invalid stream index means no language info
for (;;) {
- uint64_t gpos = avio_tell(pb);
+ const int64_t gpos = avio_tell(pb);
int ret = 0;
ff_get_guid(pb, &g);
gsize = avio_rl64(pb);
@@ -809,7 +835,12 @@ static int asf_read_header(AVFormatContext *s)
len= avio_rl32(pb);
av_log(s, AV_LOG_DEBUG, "Secret data:\n");
- if ((ret = av_get_packet(pb, pkt, len)) < 0)
+ if (len > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported encryption packet length: %d\n", len);
+ return AVERROR(ENOTSUP);
+ }
+
+ if ((ret = av_get_packet(pb, pkt, (int)len)) < 0)
return ret;
av_hex_dump_log(s, AV_LOG_DEBUG, pkt->data, pkt->size);
av_packet_unref(pkt);
@@ -923,7 +954,7 @@ static int asf_read_header(AVFormatContext *s)
static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
{
ASFContext *asf = s->priv_data;
- uint32_t packet_length, padsize;
+ uint32_t packet_length, packet_ts, padsize;
int rsize = 8;
int c, d, e, off;
@@ -1011,7 +1042,12 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
- asf->packet_timestamp = avio_rl32(pb);
+ packet_ts = avio_rl32(pb);
+ if (packet_ts > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_timestamp value: %d\n", packet_ts);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_timestamp = (int)packet_ts;
avio_rl16(pb); /* duration */
// rsize has at least 11 bytes which have to be present
@@ -1030,10 +1066,21 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
rsize, packet_length, padsize, avio_tell(pb));
return AVERROR_INVALIDDATA;
}
- asf->packet_size_left = packet_length - padsize - rsize;
+
+ if (packet_length - padsize - rsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_size_left value: %d\n", packet_length - padsize - rsize);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_size_left = (int)(packet_length - padsize - rsize);
+
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
- asf->packet_padsize = padsize;
+ if (padsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet padsize value: %d\n", padsize);
+ return AVERROR(ENOTSUP);
+ }
+
+ asf->packet_padsize = (int)padsize;
av_log(s, AV_LOG_TRACE, "packet: size=%d padsize=%d left=%d\n",
s->packet_size, asf->packet_padsize, asf->packet_size_left);
return 0;
@@ -1068,22 +1115,23 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_replic_size >= 8) {
- int64_t end = avio_tell(pb) + asf->packet_replic_size;
+ const int64_t end = avio_tell(pb) + asf->packet_replic_size;
AVRational aspect;
- asfst->packet_obj_size = avio_rl32(pb);
- if (asfst->packet_obj_size >= (1 << 24) || asfst->packet_obj_size < 0) {
+ const unsigned packet_obj_size = avio_rl32(pb);
+ if (packet_obj_size >= (1 << 24)) {
av_log(s, AV_LOG_ERROR, "packet_obj_size %d invalid\n", asfst->packet_obj_size);
asfst->packet_obj_size = 0;
return AVERROR_INVALIDDATA;
}
+ asfst->packet_obj_size = (int)packet_obj_size;
asf->packet_frag_timestamp = avio_rl32(pb); // timestamp
for (i = 0; i < asfst->payload_ext_ct; i++) {
ASFPayload *p = &asfst->payload[i];
- int size = p->size;
+ uint16_t size = p->size;
int64_t payend;
if (size == 0xFFFF)
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
payend = avio_tell(pb) + size;
if (payend > end) {
av_log(s, AV_LOG_ERROR, "too long payload\n");
@@ -1484,7 +1532,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
ASFStream *asf_st;
int64_t pts;
int64_t pos = *ppos;
- int i;
+ unsigned i;
int64_t start_pos[ASF_MAX_STREAMS];
for (i = 0; i < s->nb_streams; i++)
@@ -1541,7 +1589,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
int64_t ret;
if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) {
- return ret;
+ return (int)ret;
}
if ((ret = ff_get_guid(s->pb, &g)) < 0)
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v2 01/11] libavformat/asf: fix handling of byte array length values
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 01/11] " softworkz
@ 2022-05-07 18:48 ` Michael Niedermayer
2022-05-08 2:27 ` Soft Works
0 siblings, 1 reply; 68+ messages in thread
From: Michael Niedermayer @ 2022-05-07 18:48 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 2041 bytes --]
On Sat, May 07, 2022 at 09:36:34AM +0000, softworkz wrote:
> From: softworkz <softworkz@hotmail.com>
>
> The spec allows attachment sizes of up to UINT32_MAX while
> we can handle only sizes up to INT32_MAX (in downstream
> code)
>
> The debug.assert in get_tag didn't really address this,
> and truncating the value_len in calling methods cannot
> be used because the length value is required in order to
> continue parsing. This adds a check with log message in
> ff_asf_handle_byte_array to handle those (rare) cases.
>
> Signed-off-by: softworkz <softworkz@hotmail.com>
> ---
> libavformat/asf.c | 12 +++++++++---
> libavformat/asf.h | 2 +-
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/libavformat/asf.c b/libavformat/asf.c
> index 1ac8b5f078..179b66a2b4 100644
> --- a/libavformat/asf.c
> +++ b/libavformat/asf.c
> @@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
> }
>
> int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
> - int val_len)
> + uint32_t val_len)
> {
> + if (val_len > INT32_MAX) {
> + av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
> + return 1;
> + }
> +
> if (!strcmp(name, "WM/Picture")) // handle cover art
> - return asf_read_picture(s, val_len);
> + return asf_read_picture(s, (int)val_len);
> else if (!strcmp(name, "ID3")) // handle ID3 tag
> - return get_id3_tag(s, val_len);
> + return get_id3_tag(s, (int)val_len);
unneeded
>
> + av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
Probably this should be DEBUG
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
@ 2022-05-07 18:57 ` Michael Niedermayer
0 siblings, 0 replies; 68+ messages in thread
From: Michael Niedermayer @ 2022-05-07 18:57 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 4254 bytes --]
On Sat, May 07, 2022 at 09:36:35AM +0000, softworkz wrote:
> From: softworkz <softworkz@hotmail.com>
>
> unsupported values
>
> get_value had a return type of int, which means that reading
> QWORDS (case 4) was broken due to truncation of the result from
> avio_rl64().
>
> Signed-off-by: softworkz <softworkz@hotmail.com>
> ---
> libavformat/asfdec_f.c | 38 +++++++++++++++++++++++++++++---------
> 1 file changed, 29 insertions(+), 9 deletions(-)
>
> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> index a8f36ed286..d31e1d581d 100644
> --- a/libavformat/asfdec_f.c
> +++ b/libavformat/asfdec_f.c
> @@ -202,7 +202,7 @@ static int asf_probe(const AVProbeData *pd)
>
> /* size of type 2 (BOOL) is 32bit for "Extended Content Description Object"
> * but 16 bit for "Metadata Object" and "Metadata Library Object" */
> -static int get_value(AVIOContext *pb, int type, int type2_size)
> +static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
> {
> switch (type) {
> case ASF_BOOL:
> @@ -567,10 +567,22 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
> /* My sample has that stream set to 0 maybe that mean the container.
> * ASF stream count starts at 1. I am using 0 to the container value
> * since it's unused. */
> - if (!strcmp(name, "AspectRatioX"))
> - asf->dar[0].num = get_value(s->pb, value_type, 32);
> - else if (!strcmp(name, "AspectRatioY"))
> - asf->dar[0].den = get_value(s->pb, value_type, 32);
> + if (!strcmp(name, "AspectRatioX")) {
> + const uint64_t value = get_value(s->pb, value_type, 32);
> + if (value > INT32_MAX) {
> + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", value);
> + return AVERROR(ENOTSUP);
> + }
> + asf->dar[0].num = (int)value;
> + }
> + else if (!strcmp(name, "AspectRatioY")) {
> + const uint64_t value = get_value(s->pb, value_type, 32);
> + if (value > INT32_MAX) {
> + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", value);
> + return AVERROR(ENOTSUP);
> + }
> + asf->dar[0].den = (int)value;
> + }
> else
> get_tag(s, name, value_type, value_len, 32);
> }
> @@ -630,13 +642,21 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
> i, stream_num, name_len_utf16, value_type, value_len, name);
>
> if (!strcmp(name, "AspectRatioX")){
> - int aspect_x = get_value(s->pb, value_type, 16);
> + const uint64_t aspect_x = get_value(s->pb, value_type, 16);
> + if (aspect_x > INT32_MAX) {
> + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", aspect_x);
> + return AVERROR(ENOTSUP);
> + }
> if(stream_num < 128)
> - asf->dar[stream_num].num = aspect_x;
> + asf->dar[stream_num].num = (int)aspect_x;
> } else if(!strcmp(name, "AspectRatioY")){
> - int aspect_y = get_value(s->pb, value_type, 16);
> + const uint64_t aspect_y = get_value(s->pb, value_type, 16);
> + if (aspect_y > INT32_MAX) {
> + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", aspect_y);
> + return AVERROR(ENOTSUP);
> + }
> if(stream_num < 128)
> - asf->dar[stream_num].den = aspect_y;
> + asf->dar[stream_num].den = (int)aspect_y;
> } else {
If you go to the length to do something with oddly huge aspect components
maybe change dar to 2 uint64_t and check it in one place instead of 2
also the av_reduce() can handle a wider range than int32
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v2 01/11] libavformat/asf: fix handling of byte array length values
2022-05-07 18:48 ` Michael Niedermayer
@ 2022-05-08 2:27 ` Soft Works
0 siblings, 0 replies; 68+ messages in thread
From: Soft Works @ 2022-05-08 2:27 UTC (permalink / raw)
To: FFmpeg development discussions and patches
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Michael Niedermayer
> Sent: Saturday, May 7, 2022 8:49 PM
> To: FFmpeg development discussions and patches <ffmpeg-
> devel@ffmpeg.org>
> Subject: Re: [FFmpeg-devel] [PATCH v2 01/11] libavformat/asf: fix
> handling of byte array length values
>
> On Sat, May 07, 2022 at 09:36:34AM +0000, softworkz wrote:
> > From: softworkz <softworkz@hotmail.com>
> >
> > The spec allows attachment sizes of up to UINT32_MAX while
> > we can handle only sizes up to INT32_MAX (in downstream
> > code)
> >
> > The debug.assert in get_tag didn't really address this,
> > and truncating the value_len in calling methods cannot
> > be used because the length value is required in order to
> > continue parsing. This adds a check with log message in
> > ff_asf_handle_byte_array to handle those (rare) cases.
> >
> > Signed-off-by: softworkz <softworkz@hotmail.com>
> > ---
> > libavformat/asf.c | 12 +++++++++---
> > libavformat/asf.h | 2 +-
> > 2 files changed, 10 insertions(+), 4 deletions(-)
> >
> > diff --git a/libavformat/asf.c b/libavformat/asf.c
> > index 1ac8b5f078..179b66a2b4 100644
> > --- a/libavformat/asf.c
> > +++ b/libavformat/asf.c
> > @@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int
> len)
> > }
> >
> > int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
> > - int val_len)
> > + uint32_t val_len)
> > {
> > + if (val_len > INT32_MAX) {
> > + av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays >
> INT32_MAX in tag %s.\n", name);
> > + return 1;
> > + }
> > +
>
> > if (!strcmp(name, "WM/Picture")) // handle cover art
> > - return asf_read_picture(s, val_len);
> > + return asf_read_picture(s, (int)val_len);
> > else if (!strcmp(name, "ID3")) // handle ID3 tag
> > - return get_id3_tag(s, val_len);
> > + return get_id3_tag(s, (int)val_len);
>
> unneeded
Hi Michael,
thanks a lot for reviewing!
I think we had talked about this a while ago. From my point of view,
that explicit cast to int, tells me, every other reader of the code
as well as any static analysis or linting tools that the developer
has been aware of the data type mismatch between supplied variable
and the parameter type and that the conversion is intended rather
than accidental.
But I don't want to insist - I have removed it.
> >
> > + av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag
> %s.\n", name);
>
> Probably this should be DEBUG
The problem with DEBUG is that some components are spitting out
so many lines with log level DEBUG that you'd hardly ever see it
unless you'd explicitly search for that exact line, while that
line is rather of the kind that you don't expect it.
I've changed it to DEBUG, though.
> > if (!strcmp(name, "AspectRatioX")){
> > - int aspect_x = get_value(s->pb, value_type, 16);
> > + const uint64_t aspect_x = get_value(s->pb, value_type,
> 16);
> > + if (aspect_x > INT32_MAX) {
> > + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX
> value: %"PRIu64"\n", aspect_x);
> > + return AVERROR(ENOTSUP);
> > + }
> > if(stream_num < 128)
> > - asf->dar[stream_num].num = aspect_x;
> > + asf->dar[stream_num].num = (int)aspect_x;
> > } else if(!strcmp(name, "AspectRatioY")){
> > - int aspect_y = get_value(s->pb, value_type, 16);
> > + const uint64_t aspect_y = get_value(s->pb, value_type,
> 16);
> > + if (aspect_y > INT32_MAX) {
> > + av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY
> value: %"PRIu64"\n", aspect_y);
> > + return AVERROR(ENOTSUP);
> > + }
> > if(stream_num < 128)
> > - asf->dar[stream_num].den = aspect_y;
> > + asf->dar[stream_num].den = (int)aspect_y;
> > } else {
>
> If you go to the length to do something with oddly huge aspect
> components
> maybe change dar to 2 uint64_t and check it in one place instead of 2
> also the av_reduce() can handle a wider range than int32
Good idea, didn't know that av_reduce() can take larger numbers.
Done.
Thanks again,
softworkz
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (10 preceding siblings ...)
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
@ 2022-05-08 3:01 ` ffmpegagent
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 01/11] " softworkz
` (11 more replies)
11 siblings, 12 replies; 68+ messages in thread
From: ffmpegagent @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
The spec allows attachment sizes of up to UINT32_MAX while we can handle
only sizes up to INT32_MAX (in downstream code)
The debug.assert in get_tag didn't really address this, and truncating the
value_len in calling methods cannot be used because the length value is
required in order to continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
v2: Rebased & PING v3: Adjustments suggested by Michael
softworkz (11):
libavformat/asf: fix handling of byte array length values
libavformat/asfdec: fix get_value return type and add checks for
libavformat/asfdec: fix type of value_len
libavformat/asfdec: fixing get_tag
libavformat/asfdec: implement parsing of GUID values
libavformat/asfdec: remove unused parameters
libavformat/asfdec: fix macro definition and use
libavformat/asfdec: remove variable redefinition in inner scope
libavformat/asfdec: ensure variables are initialized
libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
libavformat/asfdec: fix variable types and add checks for unsupported
values
libavformat/asf.c | 8 +-
libavformat/asf.h | 2 +-
libavformat/asfdec_f.c | 368 ++++++++++++++++++++++++++---------------
3 files changed, 244 insertions(+), 134 deletions(-)
base-commit: f1c19867d72a14699277175101b2bcf1e333af88
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-12%2Fsoftworkz%2Fmaster-upstream_asf_4-v3
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-12/softworkz/master-upstream_asf_4-v3
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/12
Range-diff vs v2:
1: 0056a93a34 ! 1: b5c56bf5d0 libavformat/asf: fix handling of byte array length values
@@ libavformat/asf.c: static int get_id3_tag(AVFormatContext *s, int len)
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
-- return asf_read_picture(s, val_len);
-+ return asf_read_picture(s, (int)val_len);
+ return asf_read_picture(s, val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
-- return get_id3_tag(s, val_len);
-+ return get_id3_tag(s, (int)val_len);
+ return get_id3_tag(s, val_len);
-+ av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
++ av_log(s, AV_LOG_DEBUG, "Unsupported byte array in tag %s.\n", name);
return 1;
}
2: a35b7c87d4 ! 2: e6aa0fb7f3 libavformat/asfdec: fix get_value return type and add checks for
@@ libavformat/asfdec_f.c: static int asf_probe(const AVProbeData *pd)
{
switch (type) {
case ASF_BOOL:
+@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
+ {
+ AVIOContext *pb = s->pb;
+ ASFContext *asf = s->priv_data;
++ uint64_t dar_num = 0;
++ uint64_t dar_den = 0;
+ int desc_count, i, ret;
+
+ desc_count = avio_rl16(pb);
@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s,
- else if (!strcmp(name, "AspectRatioY"))
- asf->dar[0].den = get_value(s->pb, value_type, 32);
+ if (!strcmp(name, "AspectRatioX")) {
-+ const uint64_t value = get_value(s->pb, value_type, 32);
-+ if (value > INT32_MAX) {
-+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", value);
++ dar_num = get_value(s->pb, value_type, 32);
++ if (dar_num > INT64_MAX) {
++ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num);
+ return AVERROR(ENOTSUP);
+ }
-+ asf->dar[0].num = (int)value;
+ }
+ else if (!strcmp(name, "AspectRatioY")) {
-+ const uint64_t value = get_value(s->pb, value_type, 32);
-+ if (value > INT32_MAX) {
-+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", value);
++ dar_den = get_value(s->pb, value_type, 32);
++ if (dar_den > INT64_MAX) {
++ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den);
+ return AVERROR(ENOTSUP);
+ }
-+ asf->dar[0].den = (int)value;
+ }
else
get_tag(s, name, value_type, value_len, 32);
}
+
++ if (dar_num && dar_den)
++ av_reduce(&asf->dar[0].num, &asf->dar[0].den, dar_num, dar_den, INT_MAX);
++
+ return 0;
+ }
+
+@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
+ {
+ AVIOContext *pb = s->pb;
+ ASFContext *asf = s->priv_data;
++ uint64_t dar_num[128] = {0};
++ uint64_t dar_den[128] = {0};
+ int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int ret, i;
+ n = avio_rl16(pb);
@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
+ av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
- if (!strcmp(name, "AspectRatioX")){
+- if (!strcmp(name, "AspectRatioX")){
- int aspect_x = get_value(s->pb, value_type, 16);
-+ const uint64_t aspect_x = get_value(s->pb, value_type, 16);
-+ if (aspect_x > INT32_MAX) {
-+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", aspect_x);
-+ return AVERROR(ENOTSUP);
-+ }
- if(stream_num < 128)
+- if(stream_num < 128)
- asf->dar[stream_num].num = aspect_x;
-+ asf->dar[stream_num].num = (int)aspect_x;
- } else if(!strcmp(name, "AspectRatioY")){
+- } else if(!strcmp(name, "AspectRatioY")){
- int aspect_y = get_value(s->pb, value_type, 16);
-+ const uint64_t aspect_y = get_value(s->pb, value_type, 16);
-+ if (aspect_y > INT32_MAX) {
-+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", aspect_y);
+- if(stream_num < 128)
+- asf->dar[stream_num].den = aspect_y;
+- } else {
++ if (!strcmp(name, "AspectRatioX") && stream_num < 128) {
++ dar_num[stream_num] = get_value(s->pb, value_type, 16);
++ if (dar_num[stream_num] > INT64_MAX) {
++ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
- if(stream_num < 128)
-- asf->dar[stream_num].den = aspect_y;
-+ asf->dar[stream_num].den = (int)aspect_y;
- } else {
++ }
++ else if (!strcmp(name, "AspectRatioY") && stream_num < 128) {
++ dar_den[stream_num] = get_value(s->pb, value_type, 16);
++ if (dar_den[stream_num] > INT64_MAX) {
++ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den[stream_num]);
++ return AVERROR(ENOTSUP);
++ }
++ } else
get_tag(s, name, value_type, value_len, 16);
++
++
++ if (stream_num < 128 && dar_num[stream_num] && dar_den[stream_num]) {
++ av_reduce(&asf->dar[stream_num].num, &asf->dar[stream_num].den, dar_num[stream_num], dar_den[stream_num], INT_MAX);
++ dar_num[stream_num] = 0;
++ dar_den[stream_num] = 0;
}
++
+ av_freep(&name);
+ }
+
3: b8039dc4cf ! 3: b84474d729 libavformat/asfdec: fix type of value_len
@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContex
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
- {
- AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num[128] = {0};
+ uint64_t dar_den[128] = {0};
- int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int n, name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type;
4: 6e19df6e89 = 4: a54feb51a1 libavformat/asfdec: fixing get_tag
5: 0f3c417efe = 5: e14beb2c15 libavformat/asfdec: implement parsing of GUID values
6: 3bee11e40f = 6: 06062da88b libavformat/asfdec: remove unused parameters
7: ca9bbc79de = 7: 273823a5b4 libavformat/asfdec: fix macro definition and use
8: 238290bbce = 8: aaa37aca21 libavformat/asfdec: remove variable redefinition in inner scope
9: 654e44d526 = 9: 6aedb68b76 libavformat/asfdec: ensure variables are initialized
10: d461f039d2 = 10: 28ebbe7289 libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
11: f606f322bb ! 11: bbeee5f2da libavformat/asfdec: fix variable types and add checks for unsupported values
@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContex
if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s)
- {
- AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num = 0;
+ uint64_t dar_den = 0;
- int desc_count, i, ret;
+ uint16_t desc_count, i;
+ int ret;
@@ libavformat/asfdec_f.c: static int asf_read_language_list(AVFormatContext *s)
av_strlcpy(asf->stream_languages[j], lang,
sizeof(*asf->stream_languages));
@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
- {
- AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num[128] = {0};
+ uint64_t dar_den[128] = {0};
- int n, name_len_utf8;
- uint16_t stream_num, name_len_utf16, value_type;
+ int name_len_utf8;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 01/11] libavformat/asf: fix handling of byte array length values
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
` (10 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
The spec allows attachment sizes of up to UINT32_MAX while
we can handle only sizes up to INT32_MAX (in downstream
code)
The debug.assert in get_tag didn't really address this,
and truncating the value_len in calling methods cannot
be used because the length value is required in order to
continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asf.c | 8 +++++++-
libavformat/asf.h | 2 +-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavformat/asf.c b/libavformat/asf.c
index 1ac8b5f078..650f55ac3d 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
}
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len)
+ uint32_t val_len)
{
+ if (val_len > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
+ return 1;
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
return asf_read_picture(s, val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
return get_id3_tag(s, val_len);
+ av_log(s, AV_LOG_DEBUG, "Unsupported byte array in tag %s.\n", name);
return 1;
}
diff --git a/libavformat/asf.h b/libavformat/asf.h
index 01cc4f7a46..4d28560f56 100644
--- a/libavformat/asf.h
+++ b/libavformat/asf.h
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
* is unsupported by this function and 0 otherwise.
*/
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len);
+ uint32_t val_len);
#define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 02/11] libavformat/asfdec: fix get_value return type and add checks for
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 01/11] " softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len softworkz
` (9 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
unsupported values
get_value had a return type of int, which means that reading
QWORDS (case 4) was broken due to truncation of the result from
avio_rl64().
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 57 +++++++++++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a8f36ed286..0fa2bbf653 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -202,7 +202,7 @@ static int asf_probe(const AVProbeData *pd)
/* size of type 2 (BOOL) is 32bit for "Extended Content Description Object"
* but 16 bit for "Metadata Object" and "Metadata Library Object" */
-static int get_value(AVIOContext *pb, int type, int type2_size)
+static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
{
switch (type) {
case ASF_BOOL:
@@ -548,6 +548,8 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num = 0;
+ uint64_t dar_den = 0;
int desc_count, i, ret;
desc_count = avio_rl16(pb);
@@ -567,14 +569,27 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
* since it's unused. */
- if (!strcmp(name, "AspectRatioX"))
- asf->dar[0].num = get_value(s->pb, value_type, 32);
- else if (!strcmp(name, "AspectRatioY"))
- asf->dar[0].den = get_value(s->pb, value_type, 32);
+ if (!strcmp(name, "AspectRatioX")) {
+ dar_num = get_value(s->pb, value_type, 32);
+ if (dar_num > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num);
+ return AVERROR(ENOTSUP);
+ }
+ }
+ else if (!strcmp(name, "AspectRatioY")) {
+ dar_den = get_value(s->pb, value_type, 32);
+ if (dar_den > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den);
+ return AVERROR(ENOTSUP);
+ }
+ }
else
get_tag(s, name, value_type, value_len, 32);
}
+ if (dar_num && dar_den)
+ av_reduce(&asf->dar[0].num, &asf->dar[0].den, dar_num, dar_den, INT_MAX);
+
return 0;
}
@@ -602,6 +617,8 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num[128] = {0};
+ uint64_t dar_den[128] = {0};
int n, stream_num, name_len_utf16, name_len_utf8, value_len;
int ret, i;
n = avio_rl16(pb);
@@ -629,17 +646,29 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
- if (!strcmp(name, "AspectRatioX")){
- int aspect_x = get_value(s->pb, value_type, 16);
- if(stream_num < 128)
- asf->dar[stream_num].num = aspect_x;
- } else if(!strcmp(name, "AspectRatioY")){
- int aspect_y = get_value(s->pb, value_type, 16);
- if(stream_num < 128)
- asf->dar[stream_num].den = aspect_y;
- } else {
+ if (!strcmp(name, "AspectRatioX") && stream_num < 128) {
+ dar_num[stream_num] = get_value(s->pb, value_type, 16);
+ if (dar_num[stream_num] > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
+ }
+ else if (!strcmp(name, "AspectRatioY") && stream_num < 128) {
+ dar_den[stream_num] = get_value(s->pb, value_type, 16);
+ if (dar_den[stream_num] > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
+ } else
get_tag(s, name, value_type, value_len, 16);
+
+
+ if (stream_num < 128 && dar_num[stream_num] && dar_den[stream_num]) {
+ av_reduce(&asf->dar[stream_num].num, &asf->dar[stream_num].den, dar_num[stream_num], dar_den[stream_num], INT_MAX);
+ dar_num[stream_num] = 0;
+ dar_den[stream_num] = 0;
}
+
av_freep(&name);
}
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 01/11] " softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 04/11] libavformat/asfdec: fixing get_tag softworkz
` (8 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 0fa2bbf653..3014ef558d 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -218,7 +218,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
}
}
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
char *value = NULL;
@@ -528,7 +528,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
static int asf_read_content_desc(AVFormatContext *s, int64_t size)
{
AVIOContext *pb = s->pb;
- int len1, len2, len3, len4, len5;
+ uint32_t len1, len2, len3, len4, len5;
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
@@ -619,25 +619,23 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
- int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int n, name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type;
+ uint32_t value_len;
int ret, i;
n = avio_rl16(pb);
for (i = 0; i < n; i++) {
uint8_t *name;
- int value_type;
avio_rl16(pb); // lang_list_index
- stream_num = avio_rl16(pb);
- name_len_utf16 = avio_rl16(pb);
- value_type = avio_rl16(pb); /* value_type */
- value_len = avio_rl32(pb);
+ stream_num = (uint16_t)avio_rl16(pb);
+ name_len_utf16 = (uint16_t)avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb); /* value_type */
+ value_len = avio_rl32(pb);
- if (value_len < 0 || value_len > UINT16_MAX)
- return AVERROR_INVALIDDATA;
-
- name_len_utf8 = 2*name_len_utf16 + 1;
- name = av_malloc(name_len_utf8);
+ name_len_utf8 = 2 * name_len_utf16 + 1;
+ name = av_malloc(name_len_utf8);
if (!name)
return AVERROR(ENOMEM);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 04/11] libavformat/asfdec: fixing get_tag
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (2 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
` (7 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
These three are closely related and can't be separated easily:
In get_tag, the code was adding 22 bytes (in order to allow
it to hold 64bit numbers as string) to the value len for creating
creating a buffer. This was unnecessarily imposing a
size-constraint on the value_len parameter.
The code in get_tag, was limiting the maximum value_len to
half the size of INT32. This was applied for all value types, even
though it is required only in case of ASF_UNICODE, not for any
other ones (like ASCII).
get_tag was always allocating a buffer regardless of the
datatype, even though this isn't required in case of ASF_BYTE_ARRAY
The check for the return value from ff_asf_handle_byte_array()
being >0 is removed here because the log message is emitted
by the function itself now.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 3014ef558d..8071325a2f 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -221,37 +221,63 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
- char *value = NULL;
int64_t off = avio_tell(s->pb);
-#define LEN 22
-
- av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
+ char *value = NULL;
+ uint64_t required_bufferlen;
+ int buffer_len;
if (!asf->export_xmp && !strncmp(key, "xmp", 3))
goto finish;
- value = av_malloc(2 * len + LEN);
+ switch (type) {
+ case ASF_UNICODE:
+ required_bufferlen = (uint64_t)len * 2 + 1;
+ break;
+ case -1: // ASCII
+ required_bufferlen = (uint64_t)len + 1;
+ break;
+ case ASF_BYTE_ARRAY:
+ ff_asf_handle_byte_array(s, key, len);
+ goto finish;
+ case ASF_BOOL:
+ case ASF_DWORD:
+ case ASF_QWORD:
+ case ASF_WORD:
+ required_bufferlen = 22;
+ break;
+ case ASF_GUID:
+ required_bufferlen = 33;
+ break;
+ default:
+ required_bufferlen = len;
+ break;
+ }
+
+ if (required_bufferlen > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle values > INT32_MAX in tag %s.\n", key);
+ goto finish;
+ }
+
+ buffer_len = (int)required_bufferlen;
+
+ value = av_malloc(buffer_len);
if (!value)
goto finish;
switch (type) {
case ASF_UNICODE:
- avio_get_str16le(s->pb, len, value, 2 * len + 1);
+ avio_get_str16le(s->pb, len, value, buffer_len);
break;
- case -1: // ASCI
- avio_read(s->pb, value, len);
- value[len]=0;
+ case -1: // ASCII
+ avio_read(s->pb, value, buffer_len - 1);
+ value[buffer_len - 1] = 0;
break;
- case ASF_BYTE_ARRAY:
- if (ff_asf_handle_byte_array(s, key, len) > 0)
- av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", key);
- goto finish;
case ASF_BOOL:
case ASF_DWORD:
case ASF_QWORD:
case ASF_WORD: {
uint64_t num = get_value(s->pb, type, type2_size);
- snprintf(value, LEN, "%"PRIu64, num);
+ snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
case ASF_GUID:
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 05/11] libavformat/asfdec: implement parsing of GUID values
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (3 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 04/11] libavformat/asfdec: fixing get_tag softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters softworkz
` (6 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 8071325a2f..9ad2ca946b 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -280,9 +280,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len,
snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
- case ASF_GUID:
- av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
- goto finish;
+ case ASF_GUID: {
+ ff_asf_guid g;
+ ff_get_guid(s->pb, &g);
+ snprintf(value, buffer_len, "%x", g[0]);
+ break;
+ }
default:
av_log(s, AV_LOG_DEBUG,
"Unsupported value type %d in tag %s.\n", type, key);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (4 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 18:50 ` Michael Niedermayer
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 07/11] libavformat/asfdec: fix macro definition and use softworkz
` (5 subsequent siblings)
11 siblings, 1 reply; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 9ad2ca946b..19b4a5fad1 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -299,7 +299,7 @@ finish:
avio_seek(s->pb, off + len, SEEK_SET);
}
-static int asf_read_file_properties(AVFormatContext *s, int64_t size)
+static int asf_read_file_properties(AVFormatContext *s)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
@@ -494,7 +494,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_ext_stream_properties(AVFormatContext *s)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
@@ -554,7 +554,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_content_desc(AVFormatContext *s, int64_t size)
+static int asf_read_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
uint32_t len1, len2, len3, len4, len5;
@@ -573,7 +573,7 @@ static int asf_read_content_desc(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
+static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -622,7 +622,7 @@ static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_language_list(AVFormatContext *s, int64_t size)
+static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -642,7 +642,7 @@ static int asf_read_language_list(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_metadata(AVFormatContext *s, int64_t size)
+static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -702,7 +702,7 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
return 0;
}
-static int asf_read_marker(AVFormatContext *s, int64_t size)
+static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ -781,21 +781,21 @@ static int asf_read_header(AVFormatContext *s)
if (gsize < 24)
return AVERROR_INVALIDDATA;
if (!ff_guidcmp(&g, &ff_asf_file_header)) {
- ret = asf_read_file_properties(s, gsize);
+ ret = asf_read_file_properties(s);
} else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
ret = asf_read_stream_properties(s, gsize);
} else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
- asf_read_content_desc(s, gsize);
+ asf_read_content_desc(s);
} else if (!ff_guidcmp(&g, &ff_asf_language_guid)) {
- asf_read_language_list(s, gsize);
+ asf_read_language_list(s);
} else if (!ff_guidcmp(&g, &ff_asf_extended_content_header)) {
- asf_read_ext_content_desc(s, gsize);
+ asf_read_ext_content_desc(s);
} else if (!ff_guidcmp(&g, &ff_asf_metadata_header)) {
- asf_read_metadata(s, gsize);
+ asf_read_metadata(s);
} else if (!ff_guidcmp(&g, &ff_asf_metadata_library_header)) {
- asf_read_metadata(s, gsize);
+ asf_read_metadata(s);
} else if (!ff_guidcmp(&g, &ff_asf_ext_stream_header)) {
- asf_read_ext_stream_properties(s, gsize);
+ asf_read_ext_stream_properties(s);
// there could be an optional stream properties object to follow
// if so the next iteration will pick it up
@@ -805,7 +805,7 @@ static int asf_read_header(AVFormatContext *s)
avio_skip(pb, 6);
continue;
} else if (!ff_guidcmp(&g, &ff_asf_marker_header)) {
- asf_read_marker(s, gsize);
+ asf_read_marker(s);
} else if (avio_feof(pb)) {
return AVERROR_EOF;
} else {
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 07/11] libavformat/asfdec: fix macro definition and use
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (5 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
` (4 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 19b4a5fad1..9a6f45d9a5 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -905,21 +905,21 @@ static int asf_read_header(AVFormatContext *s)
}
#define DO_2BITS(bits, var, defval) \
- switch (bits & 3) { \
+ switch ((bits) & 3) { \
case 3: \
- var = avio_rl32(pb); \
+ (var) = avio_rl32(pb); \
rsize += 4; \
break; \
case 2: \
- var = avio_rl16(pb); \
+ (var) = avio_rl16(pb); \
rsize += 2; \
break; \
case 1: \
- var = avio_r8(pb); \
+ (var) = avio_r8(pb); \
rsize++; \
break; \
default: \
- var = defval; \
+ (var) = (defval); \
break; \
}
@@ -1002,9 +1002,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
asf->packet_flags = c;
asf->packet_property = d;
- DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
- DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
- DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
+ DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
+ DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
+ DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
// the following checks prevent overflows and infinite loops
if (!packet_length || packet_length >= (1U << 29)) {
@@ -1065,9 +1065,9 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
asf->stream_index = asf->asfid2avid[num & 0x7f];
asfst = &asf->streams[num & 0x7f];
// sequence should be ignored!
- DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
- DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
- DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
+ DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
+ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
+ DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d replic_size:%d num:%X packet_property %X\n",
asf->packet_key_frame, asf->stream_index, asf->packet_seq,
asf->packet_frag_offset, asf->packet_replic_size, num, asf->packet_property);
@@ -1143,7 +1143,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_flags & 0x01) {
- DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
+ DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) // 0 is illegal
if (rsize > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
return AVERROR_INVALIDDATA;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 08/11] libavformat/asfdec: remove variable redefinition in inner scope
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (6 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 07/11] libavformat/asfdec: fix macro definition and use softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 09/11] libavformat/asfdec: ensure variables are initialized softworkz
` (3 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 9a6f45d9a5..928e5717fc 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1190,7 +1190,7 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
return AVERROR_EOF;
if (asf->packet_size_left < FRAME_HEADER_SIZE ||
asf->packet_segments < 1 && asf->packet_time_start == 0) {
- int ret = asf->packet_size_left + asf->packet_padsize;
+ ret = asf->packet_size_left + asf->packet_padsize;
if (asf->packet_size_left && asf->packet_size_left < FRAME_HEADER_SIZE)
av_log(s, AV_LOG_WARNING, "Skip due to FRAME_HEADER_SIZE\n");
@@ -1259,7 +1259,6 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
if (asf_st->pkt.size != asf_st->packet_obj_size ||
// FIXME is this condition sufficient?
asf_st->frag_offset + asf->packet_frag_size > asf_st->pkt.size) {
- int ret;
if (asf_st->pkt.data) {
av_log(s, AV_LOG_INFO,
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 09/11] libavformat/asfdec: ensure variables are initialized
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (7 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
` (2 subsequent siblings)
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 928e5717fc..4af8200f89 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -977,6 +977,7 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
avio_seek(pb, -1, SEEK_CUR); // FIXME
}
} else {
+ d = e = 0;
c = avio_r8(pb);
if (c & 0x80) {
rsize ++;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (8 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 09/11] libavformat/asfdec: ensure variables are initialized softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 4af8200f89..3663f31330 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -323,7 +323,7 @@ static int asf_read_file_properties(AVFormatContext *s)
return 0;
}
-static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v3 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (9 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
@ 2022-05-08 3:01 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
11 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-08 3:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 168 ++++++++++++++++++++++++++---------------
1 file changed, 108 insertions(+), 60 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 3663f31330..da43c2bc11 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -332,9 +332,9 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
ASFStream *asf_st;
ff_asf_guid g;
enum AVMediaType type;
- int type_specific_size, sizeX;
- unsigned int tag1;
- int64_t pos1, pos2, start_time;
+ unsigned int tag1, type_specific_size, sizeX;
+ int64_t pos1, pos2;
+ uint32_t start_time;
int test_for_ext_stream_audio, is_dvr_ms_audio = 0;
if (s->nb_streams == ASF_MAX_STREAMS) {
@@ -403,7 +403,14 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
st->codecpar->codec_type = type;
if (type == AVMEDIA_TYPE_AUDIO) {
- int ret = ff_get_wav_header(s, pb, st->codecpar, type_specific_size, 0);
+ int ret;
+
+ if (type_specific_size > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported WAV header size (> INT32_MAX)\n");
+ return AVERROR(ENOTSUP);
+ }
+
+ ret = ff_get_wav_header(s, pb, st->codecpar, (int)type_specific_size, 0);
if (ret < 0)
return ret;
if (is_dvr_ms_audio) {
@@ -433,21 +440,32 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
}
} else if (type == AVMEDIA_TYPE_VIDEO &&
size - (avio_tell(pb) - pos1 + 24) >= 51) {
+ unsigned int width, height;
avio_rl32(pb);
avio_rl32(pb);
avio_r8(pb);
avio_rl16(pb); /* size */
- sizeX = avio_rl32(pb); /* size */
- st->codecpar->width = avio_rl32(pb);
- st->codecpar->height = avio_rl32(pb);
+ sizeX = avio_rl32(pb); /* size */
+ width = avio_rl32(pb);
+ height = avio_rl32(pb);
+
+ if (width > INT32_MAX || height > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported video size %dx%d\n", width, height);
+ return AVERROR(ENOTSUP);
+ }
+
+ st->codecpar->width = (int)width;
+ st->codecpar->height = (int)height;
/* not available for asf */
avio_rl16(pb); /* panes */
st->codecpar->bits_per_coded_sample = avio_rl16(pb); /* depth */
tag1 = avio_rl32(pb);
avio_skip(pb, 20);
if (sizeX > 40) {
- if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
- return AVERROR_INVALIDDATA;
+ if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported extradata size\n");
+ return AVERROR(ENOTSUP);
+ }
st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40);
st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size +
AV_INPUT_BUFFER_PADDING_SIZE);
@@ -499,9 +517,9 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
ff_asf_guid g;
- int ext_len, payload_ext_ct, stream_ct, i;
- uint32_t leak_rate, stream_num;
- unsigned int stream_languageid_index;
+ uint16_t payload_ext_ct, stream_ct, i;
+ uint32_t leak_rate, ext_len;
+ uint16_t stream_languageid_index, stream_num;
avio_rl64(pb); // starttime
avio_rl64(pb); // endtime
@@ -513,15 +531,15 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
avio_rl32(pb); // alt-init-bucket-fullness
avio_rl32(pb); // max-object-size
avio_rl32(pb); // flags (reliable,seekable,no_cleanpoints?,resend-live-cleanpoints, rest of bits reserved)
- stream_num = avio_rl16(pb); // stream-num
+ stream_num = (uint16_t)avio_rl16(pb); // stream-num
- stream_languageid_index = avio_rl16(pb); // stream-language-id-index
+ stream_languageid_index = (uint16_t)avio_rl16(pb); // stream-language-id-index
if (stream_num < 128)
asf->streams[stream_num].stream_language_index = stream_languageid_index;
avio_rl64(pb); // avg frametime in 100ns units
- stream_ct = avio_rl16(pb); // stream-name-count
- payload_ext_ct = avio_rl16(pb); // payload-extension-system-count
+ stream_ct = (uint16_t)avio_rl16(pb); // stream-name-count
+ payload_ext_ct = (uint16_t)avio_rl16(pb); // payload-extension-system-count
if (stream_num < 128) {
asf->stream_bitrates[stream_num] = leak_rate;
@@ -535,12 +553,10 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
}
for (i = 0; i < payload_ext_ct; i++) {
- int size;
+ uint16_t size;
ff_get_guid(pb, &g);
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
ext_len = avio_rl32(pb);
- if (ext_len < 0)
- return AVERROR_INVALIDDATA;
avio_skip(pb, ext_len);
if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ -579,20 +595,21 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num = 0;
uint64_t dar_den = 0;
- int desc_count, i, ret;
+ uint16_t desc_count, i;
+ int ret;
- desc_count = avio_rl16(pb);
+ desc_count = (uint16_t)avio_rl16(pb);
for (i = 0; i < desc_count; i++) {
- int name_len, value_type, value_len;
+ uint16_t name_len, value_type, value_len;
char name[1024];
- name_len = avio_rl16(pb);
+ name_len = (uint16_t)avio_rl16(pb);
if (name_len % 2) // must be even, broken lavf versions wrote len-1
name_len += 1;
if ((ret = avio_get_str16le(pb, name_len, name, sizeof(name))) < name_len)
avio_skip(pb, name_len - ret);
- value_type = avio_rl16(pb);
- value_len = avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb);
+ value_len = (uint16_t)avio_rl16(pb);
if (!value_type && value_len % 2)
value_len += 1;
/* My sample has that stream set to 0 maybe that mean the container.
@@ -626,14 +643,16 @@ static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int j, ret;
- int stream_count = avio_rl16(pb);
+ int ret;
+ uint16_t j;
+ const uint16_t stream_count = (uint16_t)avio_rl16(pb);
+
for (j = 0; j < stream_count; j++) {
char lang[6];
- unsigned int lang_len = avio_r8(pb);
+ const uint8_t lang_len = (uint8_t)avio_r8(pb);
if ((ret = avio_get_str16le(pb, lang_len, lang,
sizeof(lang))) < lang_len)
- avio_skip(pb, lang_len - ret);
+ avio_skip(pb, (int)lang_len - ret);
if (j < 128)
av_strlcpy(asf->stream_languages[j], lang,
sizeof(*asf->stream_languages));
@@ -648,14 +667,14 @@ static int asf_read_metadata(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
- int n, name_len_utf8;
- uint16_t stream_num, name_len_utf16, value_type;
+ int name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type, i, n;
uint32_t value_len;
- int ret, i;
- n = avio_rl16(pb);
+ int ret;
+ n = (uint16_t)avio_rl16(pb);
for (i = 0; i < n; i++) {
- uint8_t *name;
+ char *name;
avio_rl16(pb); // lang_list_index
stream_num = (uint16_t)avio_rl16(pb);
@@ -669,7 +688,7 @@ static int asf_read_metadata(AVFormatContext *s)
return AVERROR(ENOMEM);
if ((ret = avio_get_str16le(pb, name_len_utf16, name, name_len_utf8)) < name_len_utf16)
- avio_skip(pb, name_len_utf16 - ret);
+ avio_skip(pb, (int)name_len_utf16 - ret);
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
@@ -706,19 +725,21 @@ static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int i, count, name_len, ret;
+ int ret;
+ unsigned count, i;
+ uint16_t name_len;
char name[1024];
avio_rl64(pb); // reserved 16 bytes
avio_rl64(pb); // ...
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
- name_len = avio_rl16(pb); // name length
+ name_len = (uint16_t)avio_rl16(pb); // name length
avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
- int64_t pres_time;
- int name_len;
+ uint64_t pres_time;
+ unsigned name2_len;
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
@@ -729,13 +750,18 @@ static int asf_read_marker(AVFormatContext *s)
avio_rl16(pb); // entry length
avio_rl32(pb); // send time
avio_rl32(pb); // flags
- name_len = avio_rl32(pb); // name length
- if ((unsigned)name_len > INT_MAX / 2)
+ name2_len = avio_rl32(pb); // name length
+ if (name2_len > INT_MAX / 2)
return AVERROR_INVALIDDATA;
- if ((ret = avio_get_str16le(pb, name_len * 2, name,
- sizeof(name))) < name_len)
- avio_skip(pb, name_len - ret);
- avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, pres_time,
+ if ((ret = avio_get_str16le(pb, (int)name2_len, name,
+ sizeof(name))) < name2_len)
+ avio_skip(pb, name2_len - ret);
+
+ if (pres_time > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported presentation time value: %"PRIu64"\n", pres_time);
+ return AVERROR(ENOTSUP);
+ }
+ avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, (int64_t)pres_time,
AV_NOPTS_VALUE, name);
}
@@ -748,7 +774,7 @@ static int asf_read_header(AVFormatContext *s)
ff_asf_guid g;
AVIOContext *pb = s->pb;
int i;
- int64_t gsize;
+ uint64_t gsize;
ff_get_guid(pb, &g);
if (ff_guidcmp(&g, &ff_asf_header))
@@ -763,7 +789,7 @@ static int asf_read_header(AVFormatContext *s)
asf->streams[i].stream_language_index = 128; // invalid stream index means no language info
for (;;) {
- uint64_t gpos = avio_tell(pb);
+ const int64_t gpos = avio_tell(pb);
int ret = 0;
ff_get_guid(pb, &g);
gsize = avio_rl64(pb);
@@ -818,7 +844,12 @@ static int asf_read_header(AVFormatContext *s)
len= avio_rl32(pb);
av_log(s, AV_LOG_DEBUG, "Secret data:\n");
- if ((ret = av_get_packet(pb, pkt, len)) < 0)
+ if (len > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported encryption packet length: %d\n", len);
+ return AVERROR(ENOTSUP);
+ }
+
+ if ((ret = av_get_packet(pb, pkt, (int)len)) < 0)
return ret;
av_hex_dump_log(s, AV_LOG_DEBUG, pkt->data, pkt->size);
av_packet_unref(pkt);
@@ -932,7 +963,7 @@ static int asf_read_header(AVFormatContext *s)
static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
{
ASFContext *asf = s->priv_data;
- uint32_t packet_length, padsize;
+ uint32_t packet_length, packet_ts, padsize;
int rsize = 8;
int c, d, e, off;
@@ -1020,7 +1051,12 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
- asf->packet_timestamp = avio_rl32(pb);
+ packet_ts = avio_rl32(pb);
+ if (packet_ts > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_timestamp value: %d\n", packet_ts);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_timestamp = (int)packet_ts;
avio_rl16(pb); /* duration */
// rsize has at least 11 bytes which have to be present
@@ -1039,10 +1075,21 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
rsize, packet_length, padsize, avio_tell(pb));
return AVERROR_INVALIDDATA;
}
- asf->packet_size_left = packet_length - padsize - rsize;
+
+ if (packet_length - padsize - rsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_size_left value: %d\n", packet_length - padsize - rsize);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_size_left = (int)(packet_length - padsize - rsize);
+
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
- asf->packet_padsize = padsize;
+ if (padsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet padsize value: %d\n", padsize);
+ return AVERROR(ENOTSUP);
+ }
+
+ asf->packet_padsize = (int)padsize;
av_log(s, AV_LOG_TRACE, "packet: size=%d padsize=%d left=%d\n",
s->packet_size, asf->packet_padsize, asf->packet_size_left);
return 0;
@@ -1077,22 +1124,23 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_replic_size >= 8) {
- int64_t end = avio_tell(pb) + asf->packet_replic_size;
+ const int64_t end = avio_tell(pb) + asf->packet_replic_size;
AVRational aspect;
- asfst->packet_obj_size = avio_rl32(pb);
- if (asfst->packet_obj_size >= (1 << 24) || asfst->packet_obj_size < 0) {
+ const unsigned packet_obj_size = avio_rl32(pb);
+ if (packet_obj_size >= (1 << 24)) {
av_log(s, AV_LOG_ERROR, "packet_obj_size %d invalid\n", asfst->packet_obj_size);
asfst->packet_obj_size = 0;
return AVERROR_INVALIDDATA;
}
+ asfst->packet_obj_size = (int)packet_obj_size;
asf->packet_frag_timestamp = avio_rl32(pb); // timestamp
for (i = 0; i < asfst->payload_ext_ct; i++) {
ASFPayload *p = &asfst->payload[i];
- int size = p->size;
+ uint16_t size = p->size;
int64_t payend;
if (size == 0xFFFF)
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
payend = avio_tell(pb) + size;
if (payend > end) {
av_log(s, AV_LOG_ERROR, "too long payload\n");
@@ -1493,7 +1541,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
ASFStream *asf_st;
int64_t pts;
int64_t pos = *ppos;
- int i;
+ unsigned i;
int64_t start_pos[ASF_MAX_STREAMS];
for (i = 0; i < s->nb_streams; i++)
@@ -1550,7 +1598,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
int64_t ret;
if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) {
- return ret;
+ return (int)ret;
}
if ((ret = ff_get_guid(s->pb, &g)) < 0)
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters softworkz
@ 2022-05-08 18:50 ` Michael Niedermayer
0 siblings, 0 replies; 68+ messages in thread
From: Michael Niedermayer @ 2022-05-08 18:50 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 574 bytes --]
On Sun, May 08, 2022 at 03:01:17AM +0000, softworkz wrote:
> From: softworkz <softworkz@hotmail.com>
>
> Signed-off-by: softworkz <softworkz@hotmail.com>
> ---
> libavformat/asfdec_f.c | 30 +++++++++++++++---------------
> 1 file changed, 15 insertions(+), 15 deletions(-)
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
` (10 preceding siblings ...)
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
@ 2022-05-14 20:55 ` ffmpegagent
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 01/10] " softworkz
` (10 more replies)
11 siblings, 11 replies; 68+ messages in thread
From: ffmpegagent @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
The spec allows attachment sizes of up to UINT32_MAX while we can handle
only sizes up to INT32_MAX (in downstream code)
The debug.assert in get_tag didn't really address this, and truncating the
value_len in calling methods cannot be used because the length value is
required in order to continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
v2: Rebased & PING v3: Adjustments suggested by Michael v4: 1 of 11 merged,
10 to go..
softworkz (10):
libavformat/asf: fix handling of byte array length values
libavformat/asfdec: fix get_value return type and add checks for
libavformat/asfdec: fix type of value_len
libavformat/asfdec: fixing get_tag
libavformat/asfdec: implement parsing of GUID values
libavformat/asfdec: fix macro definition and use
libavformat/asfdec: remove variable redefinition in inner scope
libavformat/asfdec: ensure variables are initialized
libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
libavformat/asfdec: fix variable types and add checks for unsupported
values
libavformat/asf.c | 8 +-
libavformat/asf.h | 2 +-
libavformat/asfdec_f.c | 338 +++++++++++++++++++++++++++--------------
3 files changed, 229 insertions(+), 119 deletions(-)
base-commit: e6f0cec88041449475f37b82b76699d2f7b5b124
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-12%2Fsoftworkz%2Fmaster-upstream_asf_4-v4
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-12/softworkz/master-upstream_asf_4-v4
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/12
Range-diff vs v3:
1: b5c56bf5d0 = 1: 60966b7907 libavformat/asf: fix handling of byte array length values
2: e6aa0fb7f3 ! 2: 5acab7b52b libavformat/asfdec: fix get_value return type and add checks for
@@ libavformat/asfdec_f.c: static int asf_probe(const AVProbeData *pd)
{
switch (type) {
case ASF_BOOL:
-@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
+@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s,
int desc_count, i, ret;
desc_count = avio_rl16(pb);
-@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
+@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
* since it's unused. */
@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s,
return 0;
}
-@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
+@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t
int n, stream_num, name_len_utf16, name_len_utf8, value_len;
int ret, i;
n = avio_rl16(pb);
-@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
+@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
3: b84474d729 ! 3: 97e0d765c9 libavformat/asfdec: fix type of value_len
@@ libavformat/asfdec_f.c: static uint64_t get_value(AVIOContext *pb, int type, int
{
ASFContext *asf = s->priv_data;
char *value = NULL;
-@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
- static int asf_read_content_desc(AVFormatContext *s, int64_t size)
+@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContext *s)
+ static int asf_read_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
- int len1, len2, len3, len4, len5;
@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContex
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
-@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
+@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
4: a54feb51a1 = 4: 025123f72d libavformat/asfdec: fixing get_tag
5: e14beb2c15 = 5: 2d01e4dff5 libavformat/asfdec: implement parsing of GUID values
6: 06062da88b < -: ---------- libavformat/asfdec: remove unused parameters
7: 273823a5b4 = 6: 33b3d163df libavformat/asfdec: fix macro definition and use
8: aaa37aca21 = 7: 1509b83f47 libavformat/asfdec: remove variable redefinition in inner scope
9: 6aedb68b76 = 8: fd31b0be2e libavformat/asfdec: ensure variables are initialized
10: 28ebbe7289 = 9: f8728b1c51 libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
11: bbeee5f2da = 10: 78ed5aeb38 libavformat/asfdec: fix variable types and add checks for unsupported values
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 01/10] libavformat/asf: fix handling of byte array length values
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
` (9 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
The spec allows attachment sizes of up to UINT32_MAX while
we can handle only sizes up to INT32_MAX (in downstream
code)
The debug.assert in get_tag didn't really address this,
and truncating the value_len in calling methods cannot
be used because the length value is required in order to
continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asf.c | 8 +++++++-
libavformat/asf.h | 2 +-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavformat/asf.c b/libavformat/asf.c
index 1285062220..bec7db0c7e 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -139,12 +139,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
}
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len)
+ uint32_t val_len)
{
+ if (val_len > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
+ return 1;
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
return asf_read_picture(s, val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
return get_id3_tag(s, val_len);
+ av_log(s, AV_LOG_DEBUG, "Unsupported byte array in tag %s.\n", name);
return 1;
}
diff --git a/libavformat/asf.h b/libavformat/asf.h
index 01cc4f7a46..4d28560f56 100644
--- a/libavformat/asf.h
+++ b/libavformat/asf.h
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
* is unsupported by this function and 0 otherwise.
*/
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len);
+ uint32_t val_len);
#define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 02/10] libavformat/asfdec: fix get_value return type and add checks for
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 01/10] " softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of value_len softworkz
` (8 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
unsupported values
get_value had a return type of int, which means that reading
QWORDS (case 4) was broken due to truncation of the result from
avio_rl64().
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 57 +++++++++++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 4770a812db..c7c4ba55d6 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -203,7 +203,7 @@ static int asf_probe(const AVProbeData *pd)
/* size of type 2 (BOOL) is 32bit for "Extended Content Description Object"
* but 16 bit for "Metadata Object" and "Metadata Library Object" */
-static int get_value(AVIOContext *pb, int type, int type2_size)
+static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
{
switch (type) {
case ASF_BOOL:
@@ -549,6 +549,8 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num = 0;
+ uint64_t dar_den = 0;
int desc_count, i, ret;
desc_count = avio_rl16(pb);
@@ -568,14 +570,27 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
* since it's unused. */
- if (!strcmp(name, "AspectRatioX"))
- asf->dar[0].num = get_value(s->pb, value_type, 32);
- else if (!strcmp(name, "AspectRatioY"))
- asf->dar[0].den = get_value(s->pb, value_type, 32);
+ if (!strcmp(name, "AspectRatioX")) {
+ dar_num = get_value(s->pb, value_type, 32);
+ if (dar_num > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num);
+ return AVERROR(ENOTSUP);
+ }
+ }
+ else if (!strcmp(name, "AspectRatioY")) {
+ dar_den = get_value(s->pb, value_type, 32);
+ if (dar_den > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den);
+ return AVERROR(ENOTSUP);
+ }
+ }
else
get_tag(s, name, value_type, value_len, 32);
}
+ if (dar_num && dar_den)
+ av_reduce(&asf->dar[0].num, &asf->dar[0].den, dar_num, dar_den, INT_MAX);
+
return 0;
}
@@ -603,6 +618,8 @@ static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num[128] = {0};
+ uint64_t dar_den[128] = {0};
int n, stream_num, name_len_utf16, name_len_utf8, value_len;
int ret, i;
n = avio_rl16(pb);
@@ -630,17 +647,29 @@ static int asf_read_metadata(AVFormatContext *s)
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
- if (!strcmp(name, "AspectRatioX")){
- int aspect_x = get_value(s->pb, value_type, 16);
- if(stream_num < 128)
- asf->dar[stream_num].num = aspect_x;
- } else if(!strcmp(name, "AspectRatioY")){
- int aspect_y = get_value(s->pb, value_type, 16);
- if(stream_num < 128)
- asf->dar[stream_num].den = aspect_y;
- } else {
+ if (!strcmp(name, "AspectRatioX") && stream_num < 128) {
+ dar_num[stream_num] = get_value(s->pb, value_type, 16);
+ if (dar_num[stream_num] > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
+ }
+ else if (!strcmp(name, "AspectRatioY") && stream_num < 128) {
+ dar_den[stream_num] = get_value(s->pb, value_type, 16);
+ if (dar_den[stream_num] > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
+ } else
get_tag(s, name, value_type, value_len, 16);
+
+
+ if (stream_num < 128 && dar_num[stream_num] && dar_den[stream_num]) {
+ av_reduce(&asf->dar[stream_num].num, &asf->dar[stream_num].den, dar_num[stream_num], dar_den[stream_num], INT_MAX);
+ dar_num[stream_num] = 0;
+ dar_den[stream_num] = 0;
}
+
av_freep(&name);
}
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of value_len
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 01/10] " softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 04/10] libavformat/asfdec: fixing get_tag softworkz
` (7 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index c7c4ba55d6..eda7175c96 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
}
}
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
char *value = NULL;
@@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
static int asf_read_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
- int len1, len2, len3, len4, len5;
+ uint32_t len1, len2, len3, len4, len5;
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
@@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
- int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int n, name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type;
+ uint32_t value_len;
int ret, i;
n = avio_rl16(pb);
for (i = 0; i < n; i++) {
uint8_t *name;
- int value_type;
avio_rl16(pb); // lang_list_index
- stream_num = avio_rl16(pb);
- name_len_utf16 = avio_rl16(pb);
- value_type = avio_rl16(pb); /* value_type */
- value_len = avio_rl32(pb);
+ stream_num = (uint16_t)avio_rl16(pb);
+ name_len_utf16 = (uint16_t)avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb); /* value_type */
+ value_len = avio_rl32(pb);
- if (value_len < 0 || value_len > UINT16_MAX)
- return AVERROR_INVALIDDATA;
-
- name_len_utf8 = 2*name_len_utf16 + 1;
- name = av_malloc(name_len_utf8);
+ name_len_utf8 = 2 * name_len_utf16 + 1;
+ name = av_malloc(name_len_utf8);
if (!name)
return AVERROR(ENOMEM);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 04/10] libavformat/asfdec: fixing get_tag
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (2 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of value_len softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
` (6 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
These three are closely related and can't be separated easily:
In get_tag, the code was adding 22 bytes (in order to allow
it to hold 64bit numbers as string) to the value len for creating
creating a buffer. This was unnecessarily imposing a
size-constraint on the value_len parameter.
The code in get_tag, was limiting the maximum value_len to
half the size of INT32. This was applied for all value types, even
though it is required only in case of ASF_UNICODE, not for any
other ones (like ASCII).
get_tag was always allocating a buffer regardless of the
datatype, even though this isn't required in case of ASF_BYTE_ARRAY
The check for the return value from ff_asf_handle_byte_array()
being >0 is removed here because the log message is emitted
by the function itself now.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index eda7175c96..cb7da2d679 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -222,37 +222,63 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
- char *value = NULL;
int64_t off = avio_tell(s->pb);
-#define LEN 22
-
- av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
+ char *value = NULL;
+ uint64_t required_bufferlen;
+ int buffer_len;
if (!asf->export_xmp && !strncmp(key, "xmp", 3))
goto finish;
- value = av_malloc(2 * len + LEN);
+ switch (type) {
+ case ASF_UNICODE:
+ required_bufferlen = (uint64_t)len * 2 + 1;
+ break;
+ case -1: // ASCII
+ required_bufferlen = (uint64_t)len + 1;
+ break;
+ case ASF_BYTE_ARRAY:
+ ff_asf_handle_byte_array(s, key, len);
+ goto finish;
+ case ASF_BOOL:
+ case ASF_DWORD:
+ case ASF_QWORD:
+ case ASF_WORD:
+ required_bufferlen = 22;
+ break;
+ case ASF_GUID:
+ required_bufferlen = 33;
+ break;
+ default:
+ required_bufferlen = len;
+ break;
+ }
+
+ if (required_bufferlen > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle values > INT32_MAX in tag %s.\n", key);
+ goto finish;
+ }
+
+ buffer_len = (int)required_bufferlen;
+
+ value = av_malloc(buffer_len);
if (!value)
goto finish;
switch (type) {
case ASF_UNICODE:
- avio_get_str16le(s->pb, len, value, 2 * len + 1);
+ avio_get_str16le(s->pb, len, value, buffer_len);
break;
- case -1: // ASCI
- avio_read(s->pb, value, len);
- value[len]=0;
+ case -1: // ASCII
+ avio_read(s->pb, value, buffer_len - 1);
+ value[buffer_len - 1] = 0;
break;
- case ASF_BYTE_ARRAY:
- if (ff_asf_handle_byte_array(s, key, len) > 0)
- av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", key);
- goto finish;
case ASF_BOOL:
case ASF_DWORD:
case ASF_QWORD:
case ASF_WORD: {
uint64_t num = get_value(s->pb, type, type2_size);
- snprintf(value, LEN, "%"PRIu64, num);
+ snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
case ASF_GUID:
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 05/10] libavformat/asfdec: implement parsing of GUID values
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (3 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 04/10] libavformat/asfdec: fixing get_tag softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use softworkz
` (5 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index cb7da2d679..81a29f99d5 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -281,9 +281,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len,
snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
- case ASF_GUID:
- av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
- goto finish;
+ case ASF_GUID: {
+ ff_asf_guid g;
+ ff_get_guid(s->pb, &g);
+ snprintf(value, buffer_len, "%x", g[0]);
+ break;
+ }
default:
av_log(s, AV_LOG_DEBUG,
"Unsupported value type %d in tag %s.\n", type, key);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (4 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-15 18:12 ` Andreas Rheinhardt
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
` (4 subsequent siblings)
10 siblings, 1 reply; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 81a29f99d5..91c3874ac7 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -906,21 +906,21 @@ static int asf_read_header(AVFormatContext *s)
}
#define DO_2BITS(bits, var, defval) \
- switch (bits & 3) { \
+ switch ((bits) & 3) { \
case 3: \
- var = avio_rl32(pb); \
+ (var) = avio_rl32(pb); \
rsize += 4; \
break; \
case 2: \
- var = avio_rl16(pb); \
+ (var) = avio_rl16(pb); \
rsize += 2; \
break; \
case 1: \
- var = avio_r8(pb); \
+ (var) = avio_r8(pb); \
rsize++; \
break; \
default: \
- var = defval; \
+ (var) = (defval); \
break; \
}
@@ -1003,9 +1003,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
asf->packet_flags = c;
asf->packet_property = d;
- DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
- DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
- DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
+ DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
+ DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
+ DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
// the following checks prevent overflows and infinite loops
if (!packet_length || packet_length >= (1U << 29)) {
@@ -1066,9 +1066,9 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
asf->stream_index = asf->asfid2avid[num & 0x7f];
asfst = &asf->streams[num & 0x7f];
// sequence should be ignored!
- DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
- DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
- DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
+ DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
+ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
+ DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d replic_size:%d num:%X packet_property %X\n",
asf->packet_key_frame, asf->stream_index, asf->packet_seq,
asf->packet_frag_offset, asf->packet_replic_size, num, asf->packet_property);
@@ -1144,7 +1144,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_flags & 0x01) {
- DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
+ DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) // 0 is illegal
if (rsize > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
return AVERROR_INVALIDDATA;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 07/10] libavformat/asfdec: remove variable redefinition in inner scope
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (5 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 08/10] libavformat/asfdec: ensure variables are initialized softworkz
` (3 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 91c3874ac7..fae15d9b05 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1191,7 +1191,7 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
return AVERROR_EOF;
if (asf->packet_size_left < FRAME_HEADER_SIZE ||
asf->packet_segments < 1 && asf->packet_time_start == 0) {
- int ret = asf->packet_size_left + asf->packet_padsize;
+ ret = asf->packet_size_left + asf->packet_padsize;
if (asf->packet_size_left && asf->packet_size_left < FRAME_HEADER_SIZE)
av_log(s, AV_LOG_WARNING, "Skip due to FRAME_HEADER_SIZE\n");
@@ -1260,7 +1260,6 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
if (asf_st->pkt.size != asf_st->packet_obj_size ||
// FIXME is this condition sufficient?
asf_st->frag_offset + asf->packet_frag_size > asf_st->pkt.size) {
- int ret;
if (asf_st->pkt.data) {
av_log(s, AV_LOG_INFO,
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 08/10] libavformat/asfdec: ensure variables are initialized
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (6 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
` (2 subsequent siblings)
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index fae15d9b05..cb396cccfe 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -978,6 +978,7 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
avio_seek(pb, -1, SEEK_CUR); // FIXME
}
} else {
+ d = e = 0;
c = avio_r8(pb);
if (c & 0x80) {
rsize ++;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (7 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 08/10] libavformat/asfdec: ensure variables are initialized softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index cb396cccfe..95cab8b960 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -324,7 +324,7 @@ static int asf_read_file_properties(AVFormatContext *s)
return 0;
}
-static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v4 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (8 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
@ 2022-05-14 20:55 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
10 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-14 20:55 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 168 ++++++++++++++++++++++++++---------------
1 file changed, 108 insertions(+), 60 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 95cab8b960..d50682b901 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -333,9 +333,9 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
ASFStream *asf_st;
ff_asf_guid g;
enum AVMediaType type;
- int type_specific_size, sizeX;
- unsigned int tag1;
- int64_t pos1, pos2, start_time;
+ unsigned int tag1, type_specific_size, sizeX;
+ int64_t pos1, pos2;
+ uint32_t start_time;
int test_for_ext_stream_audio, is_dvr_ms_audio = 0;
if (s->nb_streams == ASF_MAX_STREAMS) {
@@ -404,7 +404,14 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
st->codecpar->codec_type = type;
if (type == AVMEDIA_TYPE_AUDIO) {
- int ret = ff_get_wav_header(s, pb, st->codecpar, type_specific_size, 0);
+ int ret;
+
+ if (type_specific_size > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported WAV header size (> INT32_MAX)\n");
+ return AVERROR(ENOTSUP);
+ }
+
+ ret = ff_get_wav_header(s, pb, st->codecpar, (int)type_specific_size, 0);
if (ret < 0)
return ret;
if (is_dvr_ms_audio) {
@@ -434,21 +441,32 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
}
} else if (type == AVMEDIA_TYPE_VIDEO &&
size - (avio_tell(pb) - pos1 + 24) >= 51) {
+ unsigned int width, height;
avio_rl32(pb);
avio_rl32(pb);
avio_r8(pb);
avio_rl16(pb); /* size */
- sizeX = avio_rl32(pb); /* size */
- st->codecpar->width = avio_rl32(pb);
- st->codecpar->height = avio_rl32(pb);
+ sizeX = avio_rl32(pb); /* size */
+ width = avio_rl32(pb);
+ height = avio_rl32(pb);
+
+ if (width > INT32_MAX || height > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported video size %dx%d\n", width, height);
+ return AVERROR(ENOTSUP);
+ }
+
+ st->codecpar->width = (int)width;
+ st->codecpar->height = (int)height;
/* not available for asf */
avio_rl16(pb); /* panes */
st->codecpar->bits_per_coded_sample = avio_rl16(pb); /* depth */
tag1 = avio_rl32(pb);
avio_skip(pb, 20);
if (sizeX > 40) {
- if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
- return AVERROR_INVALIDDATA;
+ if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported extradata size\n");
+ return AVERROR(ENOTSUP);
+ }
st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40);
st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size +
AV_INPUT_BUFFER_PADDING_SIZE);
@@ -500,9 +518,9 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
ff_asf_guid g;
- int ext_len, payload_ext_ct, stream_ct, i;
- uint32_t leak_rate, stream_num;
- unsigned int stream_languageid_index;
+ uint16_t payload_ext_ct, stream_ct, i;
+ uint32_t leak_rate, ext_len;
+ uint16_t stream_languageid_index, stream_num;
avio_rl64(pb); // starttime
avio_rl64(pb); // endtime
@@ -514,15 +532,15 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
avio_rl32(pb); // alt-init-bucket-fullness
avio_rl32(pb); // max-object-size
avio_rl32(pb); // flags (reliable,seekable,no_cleanpoints?,resend-live-cleanpoints, rest of bits reserved)
- stream_num = avio_rl16(pb); // stream-num
+ stream_num = (uint16_t)avio_rl16(pb); // stream-num
- stream_languageid_index = avio_rl16(pb); // stream-language-id-index
+ stream_languageid_index = (uint16_t)avio_rl16(pb); // stream-language-id-index
if (stream_num < 128)
asf->streams[stream_num].stream_language_index = stream_languageid_index;
avio_rl64(pb); // avg frametime in 100ns units
- stream_ct = avio_rl16(pb); // stream-name-count
- payload_ext_ct = avio_rl16(pb); // payload-extension-system-count
+ stream_ct = (uint16_t)avio_rl16(pb); // stream-name-count
+ payload_ext_ct = (uint16_t)avio_rl16(pb); // payload-extension-system-count
if (stream_num < 128) {
asf->stream_bitrates[stream_num] = leak_rate;
@@ -536,12 +554,10 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
}
for (i = 0; i < payload_ext_ct; i++) {
- int size;
+ uint16_t size;
ff_get_guid(pb, &g);
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
ext_len = avio_rl32(pb);
- if (ext_len < 0)
- return AVERROR_INVALIDDATA;
avio_skip(pb, ext_len);
if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ -580,20 +596,21 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num = 0;
uint64_t dar_den = 0;
- int desc_count, i, ret;
+ uint16_t desc_count, i;
+ int ret;
- desc_count = avio_rl16(pb);
+ desc_count = (uint16_t)avio_rl16(pb);
for (i = 0; i < desc_count; i++) {
- int name_len, value_type, value_len;
+ uint16_t name_len, value_type, value_len;
char name[1024];
- name_len = avio_rl16(pb);
+ name_len = (uint16_t)avio_rl16(pb);
if (name_len % 2) // must be even, broken lavf versions wrote len-1
name_len += 1;
if ((ret = avio_get_str16le(pb, name_len, name, sizeof(name))) < name_len)
avio_skip(pb, name_len - ret);
- value_type = avio_rl16(pb);
- value_len = avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb);
+ value_len = (uint16_t)avio_rl16(pb);
if (!value_type && value_len % 2)
value_len += 1;
/* My sample has that stream set to 0 maybe that mean the container.
@@ -627,14 +644,16 @@ static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int j, ret;
- int stream_count = avio_rl16(pb);
+ int ret;
+ uint16_t j;
+ const uint16_t stream_count = (uint16_t)avio_rl16(pb);
+
for (j = 0; j < stream_count; j++) {
char lang[6];
- unsigned int lang_len = avio_r8(pb);
+ const uint8_t lang_len = (uint8_t)avio_r8(pb);
if ((ret = avio_get_str16le(pb, lang_len, lang,
sizeof(lang))) < lang_len)
- avio_skip(pb, lang_len - ret);
+ avio_skip(pb, (int)lang_len - ret);
if (j < 128)
av_strlcpy(asf->stream_languages[j], lang,
sizeof(*asf->stream_languages));
@@ -649,14 +668,14 @@ static int asf_read_metadata(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
- int n, name_len_utf8;
- uint16_t stream_num, name_len_utf16, value_type;
+ int name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type, i, n;
uint32_t value_len;
- int ret, i;
- n = avio_rl16(pb);
+ int ret;
+ n = (uint16_t)avio_rl16(pb);
for (i = 0; i < n; i++) {
- uint8_t *name;
+ char *name;
avio_rl16(pb); // lang_list_index
stream_num = (uint16_t)avio_rl16(pb);
@@ -670,7 +689,7 @@ static int asf_read_metadata(AVFormatContext *s)
return AVERROR(ENOMEM);
if ((ret = avio_get_str16le(pb, name_len_utf16, name, name_len_utf8)) < name_len_utf16)
- avio_skip(pb, name_len_utf16 - ret);
+ avio_skip(pb, (int)name_len_utf16 - ret);
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
@@ -707,19 +726,21 @@ static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int i, count, name_len, ret;
+ int ret;
+ unsigned count, i;
+ uint16_t name_len;
char name[1024];
avio_rl64(pb); // reserved 16 bytes
avio_rl64(pb); // ...
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
- name_len = avio_rl16(pb); // name length
+ name_len = (uint16_t)avio_rl16(pb); // name length
avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
- int64_t pres_time;
- int name_len;
+ uint64_t pres_time;
+ unsigned name2_len;
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
@@ -730,13 +751,18 @@ static int asf_read_marker(AVFormatContext *s)
avio_rl16(pb); // entry length
avio_rl32(pb); // send time
avio_rl32(pb); // flags
- name_len = avio_rl32(pb); // name length
- if ((unsigned)name_len > INT_MAX / 2)
+ name2_len = avio_rl32(pb); // name length
+ if (name2_len > INT_MAX / 2)
return AVERROR_INVALIDDATA;
- if ((ret = avio_get_str16le(pb, name_len * 2, name,
- sizeof(name))) < name_len)
- avio_skip(pb, name_len - ret);
- avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, pres_time,
+ if ((ret = avio_get_str16le(pb, (int)name2_len, name,
+ sizeof(name))) < name2_len)
+ avio_skip(pb, name2_len - ret);
+
+ if (pres_time > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported presentation time value: %"PRIu64"\n", pres_time);
+ return AVERROR(ENOTSUP);
+ }
+ avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, (int64_t)pres_time,
AV_NOPTS_VALUE, name);
}
@@ -749,7 +775,7 @@ static int asf_read_header(AVFormatContext *s)
ff_asf_guid g;
AVIOContext *pb = s->pb;
int i;
- int64_t gsize;
+ uint64_t gsize;
ff_get_guid(pb, &g);
if (ff_guidcmp(&g, &ff_asf_header))
@@ -764,7 +790,7 @@ static int asf_read_header(AVFormatContext *s)
asf->streams[i].stream_language_index = 128; // invalid stream index means no language info
for (;;) {
- uint64_t gpos = avio_tell(pb);
+ const int64_t gpos = avio_tell(pb);
int ret = 0;
ff_get_guid(pb, &g);
gsize = avio_rl64(pb);
@@ -819,7 +845,12 @@ static int asf_read_header(AVFormatContext *s)
len= avio_rl32(pb);
av_log(s, AV_LOG_DEBUG, "Secret data:\n");
- if ((ret = av_get_packet(pb, pkt, len)) < 0)
+ if (len > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported encryption packet length: %d\n", len);
+ return AVERROR(ENOTSUP);
+ }
+
+ if ((ret = av_get_packet(pb, pkt, (int)len)) < 0)
return ret;
av_hex_dump_log(s, AV_LOG_DEBUG, pkt->data, pkt->size);
av_packet_unref(pkt);
@@ -933,7 +964,7 @@ static int asf_read_header(AVFormatContext *s)
static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
{
ASFContext *asf = s->priv_data;
- uint32_t packet_length, padsize;
+ uint32_t packet_length, packet_ts, padsize;
int rsize = 8;
int c, d, e, off;
@@ -1021,7 +1052,12 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
- asf->packet_timestamp = avio_rl32(pb);
+ packet_ts = avio_rl32(pb);
+ if (packet_ts > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_timestamp value: %d\n", packet_ts);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_timestamp = (int)packet_ts;
avio_rl16(pb); /* duration */
// rsize has at least 11 bytes which have to be present
@@ -1040,10 +1076,21 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
rsize, packet_length, padsize, avio_tell(pb));
return AVERROR_INVALIDDATA;
}
- asf->packet_size_left = packet_length - padsize - rsize;
+
+ if (packet_length - padsize - rsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_size_left value: %d\n", packet_length - padsize - rsize);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_size_left = (int)(packet_length - padsize - rsize);
+
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
- asf->packet_padsize = padsize;
+ if (padsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet padsize value: %d\n", padsize);
+ return AVERROR(ENOTSUP);
+ }
+
+ asf->packet_padsize = (int)padsize;
av_log(s, AV_LOG_TRACE, "packet: size=%d padsize=%d left=%d\n",
s->packet_size, asf->packet_padsize, asf->packet_size_left);
return 0;
@@ -1078,22 +1125,23 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_replic_size >= 8) {
- int64_t end = avio_tell(pb) + asf->packet_replic_size;
+ const int64_t end = avio_tell(pb) + asf->packet_replic_size;
AVRational aspect;
- asfst->packet_obj_size = avio_rl32(pb);
- if (asfst->packet_obj_size >= (1 << 24) || asfst->packet_obj_size < 0) {
+ const unsigned packet_obj_size = avio_rl32(pb);
+ if (packet_obj_size >= (1 << 24)) {
av_log(s, AV_LOG_ERROR, "packet_obj_size %d invalid\n", asfst->packet_obj_size);
asfst->packet_obj_size = 0;
return AVERROR_INVALIDDATA;
}
+ asfst->packet_obj_size = (int)packet_obj_size;
asf->packet_frag_timestamp = avio_rl32(pb); // timestamp
for (i = 0; i < asfst->payload_ext_ct; i++) {
ASFPayload *p = &asfst->payload[i];
- int size = p->size;
+ uint16_t size = p->size;
int64_t payend;
if (size == 0xFFFF)
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
payend = avio_tell(pb) + size;
if (payend > end) {
av_log(s, AV_LOG_ERROR, "too long payload\n");
@@ -1494,7 +1542,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
ASFStream *asf_st;
int64_t pts;
int64_t pos = *ppos;
- int i;
+ unsigned i;
int64_t start_pos[ASF_MAX_STREAMS];
for (i = 0; i < s->nb_streams; i++)
@@ -1551,7 +1599,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
int64_t ret;
if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) {
- return ret;
+ return (int)ret;
}
if ((ret = ff_get_guid(s->pb, &g)) < 0)
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use softworkz
@ 2022-05-15 18:12 ` Andreas Rheinhardt
2022-05-15 22:51 ` Soft Works
0 siblings, 1 reply; 68+ messages in thread
From: Andreas Rheinhardt @ 2022-05-15 18:12 UTC (permalink / raw)
To: ffmpeg-devel
softworkz:
> From: softworkz <softworkz@hotmail.com>
>
> Signed-off-by: softworkz <softworkz@hotmail.com>
> ---
> libavformat/asfdec_f.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> index 81a29f99d5..91c3874ac7 100644
> --- a/libavformat/asfdec_f.c
> +++ b/libavformat/asfdec_f.c
> @@ -906,21 +906,21 @@ static int asf_read_header(AVFormatContext *s)
> }
>
> #define DO_2BITS(bits, var, defval) \
> - switch (bits & 3) { \
> + switch ((bits) & 3) { \
> case 3: \
> - var = avio_rl32(pb); \
> + (var) = avio_rl32(pb); \
> rsize += 4; \
> break; \
> case 2: \
> - var = avio_rl16(pb); \
> + (var) = avio_rl16(pb); \
> rsize += 2; \
> break; \
> case 1: \
> - var = avio_r8(pb); \
> + (var) = avio_r8(pb); \
> rsize++; \
> break; \
> default: \
> - var = defval; \
> + (var) = (defval); \
> break; \
> }
>
> @@ -1003,9 +1003,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
> asf->packet_flags = c;
> asf->packet_property = d;
>
> - DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
> - DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
> - DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
> + DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
> + DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
> + DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
>
> // the following checks prevent overflows and infinite loops
> if (!packet_length || packet_length >= (1U << 29)) {
> @@ -1066,9 +1066,9 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
> asf->stream_index = asf->asfid2avid[num & 0x7f];
> asfst = &asf->streams[num & 0x7f];
> // sequence should be ignored!
> - DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
> - DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
> - DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
> + DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
> + DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
> + DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
> av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d replic_size:%d num:%X packet_property %X\n",
> asf->packet_key_frame, asf->stream_index, asf->packet_seq,
> asf->packet_frag_offset, asf->packet_replic_size, num, asf->packet_property);
> @@ -1144,7 +1144,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
> return AVERROR_INVALIDDATA;
> }
> if (asf->packet_flags & 0x01) {
> - DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
> + DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) // 0 is illegal
> if (rsize > asf->packet_size_left) {
> av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
> return AVERROR_INVALIDDATA;
While protecting macro arguments is good, it is not really a "fix"
unless current usage is buggy. Which it isn't here, because >> has
higher precedence than &.
Furthermore I am not really sure whether removing the ';' is even
something worthwhile; they are surely unnecessary (being null
statements), but does this matter?
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use
2022-05-15 18:12 ` Andreas Rheinhardt
@ 2022-05-15 22:51 ` Soft Works
2022-05-16 8:48 ` Andreas Rheinhardt
0 siblings, 1 reply; 68+ messages in thread
From: Soft Works @ 2022-05-15 22:51 UTC (permalink / raw)
To: FFmpeg development discussions and patches
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Andreas Rheinhardt
> Sent: Sunday, May 15, 2022 8:12 PM
> To: ffmpeg-devel@ffmpeg.org
> Subject: Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix
> macro definition and use
>
> softworkz:
> > From: softworkz <softworkz@hotmail.com>
> >
> > Signed-off-by: softworkz <softworkz@hotmail.com>
> > ---
> > libavformat/asfdec_f.c | 24 ++++++++++++------------
> > 1 file changed, 12 insertions(+), 12 deletions(-)
> >
> > diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> > index 81a29f99d5..91c3874ac7 100644
> > --- a/libavformat/asfdec_f.c
> > +++ b/libavformat/asfdec_f.c
> > @@ -906,21 +906,21 @@ static int asf_read_header(AVFormatContext *s)
> > }
> >
> > #define DO_2BITS(bits, var, defval) \
> > - switch (bits & 3) { \
> > + switch ((bits) & 3) { \
> > case 3: \
> > - var = avio_rl32(pb); \
> > + (var) = avio_rl32(pb); \
> > rsize += 4; \
> > break; \
> > case 2: \
> > - var = avio_rl16(pb); \
> > + (var) = avio_rl16(pb); \
> > rsize += 2; \
> > break; \
> > case 1: \
> > - var = avio_r8(pb); \
> > + (var) = avio_r8(pb); \
> > rsize++; \
> > break; \
> > default: \
> > - var = defval; \
> > + (var) = (defval); \
> > break; \
> > }
> >
> > @@ -1003,9 +1003,9 @@ static int asf_get_packet(AVFormatContext *s,
> AVIOContext *pb)
> > asf->packet_flags = c;
> > asf->packet_property = d;
> >
> > - DO_2BITS(asf->packet_flags >> 5, packet_length, s-
> >packet_size);
> > - DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence
> ignored
> > - DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
> > + DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
> > + DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence
> ignored
> > + DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
> >
> > // the following checks prevent overflows and infinite loops
> > if (!packet_length || packet_length >= (1U << 29)) {
> > @@ -1066,9 +1066,9 @@ static int
> asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
> > asf->stream_index = asf->asfid2avid[num & 0x7f];
> > asfst = &asf->streams[num & 0x7f];
> > // sequence should be ignored!
> > - DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
> > - DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset,
> 0);
> > - DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
> > + DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
> > + DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
> > + DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
> > av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d
> replic_size:%d num:%X packet_property %X\n",
> > asf->packet_key_frame, asf->stream_index, asf-
> >packet_seq,
> > asf->packet_frag_offset, asf->packet_replic_size, num,
> asf->packet_property);
> > @@ -1144,7 +1144,7 @@ static int
> asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
> > return AVERROR_INVALIDDATA;
> > }
> > if (asf->packet_flags & 0x01) {
> > - DO_2BITS(asf->packet_segsizetype >> 6, asf-
> >packet_frag_size, 0); // 0 is illegal
> > + DO_2BITS(asf->packet_segsizetype >> 6, asf-
> >packet_frag_size, 0) // 0 is illegal
> > if (rsize > asf->packet_size_left) {
> > av_log(s, AV_LOG_ERROR, "packet_replic_size is
> invalid\n");
> > return AVERROR_INVALIDDATA;
>
> While protecting macro arguments is good, it is not really a "fix"
> unless current usage is buggy.
Ok, I will rephrase the commit message.
> Which it isn't here, because >> has higher precedence than &.
Could you explain which change you are referring to?
All this patch does is to put macro variables in brackets
and remove semicolons..
> Furthermore I am not really sure whether removing the ';' is even
> something worthwhile; they are surely unnecessary (being null
> statements), but does this matter?
It causes a warning
https://releases.llvm.org/13.0.0/tools/clang/docs/DiagnosticsReference.html#wextra-semi-stmt
I don't know how others are working, but I use to work in a way where
such warnings are shown in the editor and in lists in the IDE
even without compilation. Now - when you have a code file that
generates like 20, 50 or more warnings, it's much harder to spot
those warnings that might be really relevant and hinting at a mistake,
and you might be just too lazy to go through them each time.
The clang diagnostics have been helpful in spotting some actual
issues in this very file. That's why I consider it worthwhile
to also eliminate such "non-issues".
Thanks for reviewing,
softworkz
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use
2022-05-15 22:51 ` Soft Works
@ 2022-05-16 8:48 ` Andreas Rheinhardt
2022-05-16 22:03 ` Soft Works
0 siblings, 1 reply; 68+ messages in thread
From: Andreas Rheinhardt @ 2022-05-16 8:48 UTC (permalink / raw)
To: ffmpeg-devel
Soft Works:
>
>
>> -----Original Message-----
>> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
>> Andreas Rheinhardt
>> Sent: Sunday, May 15, 2022 8:12 PM
>> To: ffmpeg-devel@ffmpeg.org
>> Subject: Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix
>> macro definition and use
>>
>> softworkz:
>>> From: softworkz <softworkz@hotmail.com>
>>>
>>> Signed-off-by: softworkz <softworkz@hotmail.com>
>>> ---
>>> libavformat/asfdec_f.c | 24 ++++++++++++------------
>>> 1 file changed, 12 insertions(+), 12 deletions(-)
>>>
>>> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
>>> index 81a29f99d5..91c3874ac7 100644
>>> --- a/libavformat/asfdec_f.c
>>> +++ b/libavformat/asfdec_f.c
>>> @@ -906,21 +906,21 @@ static int asf_read_header(AVFormatContext *s)
>>> }
>>>
>>> #define DO_2BITS(bits, var, defval) \
>>> - switch (bits & 3) { \
>>> + switch ((bits) & 3) { \
>>> case 3: \
>>> - var = avio_rl32(pb); \
>>> + (var) = avio_rl32(pb); \
>>> rsize += 4; \
>>> break; \
>>> case 2: \
>>> - var = avio_rl16(pb); \
>>> + (var) = avio_rl16(pb); \
>>> rsize += 2; \
>>> break; \
>>> case 1: \
>>> - var = avio_r8(pb); \
>>> + (var) = avio_r8(pb); \
>>> rsize++; \
>>> break; \
>>> default: \
>>> - var = defval; \
>>> + (var) = (defval); \
>>> break; \
>>> }
>>>
>>> @@ -1003,9 +1003,9 @@ static int asf_get_packet(AVFormatContext *s,
>> AVIOContext *pb)
>>> asf->packet_flags = c;
>>> asf->packet_property = d;
>>>
>>> - DO_2BITS(asf->packet_flags >> 5, packet_length, s-
>>> packet_size);
>>> - DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence
>> ignored
>>> - DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
>>> + DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
>>> + DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence
>> ignored
>>> + DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
>>>
>>> // the following checks prevent overflows and infinite loops
>>> if (!packet_length || packet_length >= (1U << 29)) {
>>> @@ -1066,9 +1066,9 @@ static int
>> asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
>>> asf->stream_index = asf->asfid2avid[num & 0x7f];
>>> asfst = &asf->streams[num & 0x7f];
>>> // sequence should be ignored!
>>> - DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
>>> - DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset,
>> 0);
>>> - DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
>>> + DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
>>> + DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
>>> + DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
>>> av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d
>> replic_size:%d num:%X packet_property %X\n",
>>> asf->packet_key_frame, asf->stream_index, asf-
>>> packet_seq,
>>> asf->packet_frag_offset, asf->packet_replic_size, num,
>> asf->packet_property);
>>> @@ -1144,7 +1144,7 @@ static int
>> asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
>>> return AVERROR_INVALIDDATA;
>>> }
>>> if (asf->packet_flags & 0x01) {
>>> - DO_2BITS(asf->packet_segsizetype >> 6, asf-
>>> packet_frag_size, 0); // 0 is illegal
>>> + DO_2BITS(asf->packet_segsizetype >> 6, asf-
>>> packet_frag_size, 0) // 0 is illegal
>>> if (rsize > asf->packet_size_left) {
>>> av_log(s, AV_LOG_ERROR, "packet_replic_size is
>> invalid\n");
>>> return AVERROR_INVALIDDATA;
>>
>> While protecting macro arguments is good, it is not really a "fix"
>> unless current usage is buggy.
>
> Ok, I will rephrase the commit message.
>
>> Which it isn't here, because >> has higher precedence than &.
>
> Could you explain which change you are referring to?
>
Putting "bits" in parentheses. It doesn't change anything, because >>
has higher precedence than &.
> All this patch does is to put macro variables in brackets
> and remove semicolons..
>
>> Furthermore I am not really sure whether removing the ';' is even
>> something worthwhile; they are surely unnecessary (being null
>> statements), but does this matter?
>
> It causes a warning
>
> https://releases.llvm.org/13.0.0/tools/clang/docs/DiagnosticsReference.html#wextra-semi-stmt
>
I don't receive this warning despite using Clang 13.0. Do you have -Wall
or -Wextra or something like that enabled?
IMO a better fix for this would be to wrap the macro in a do {} while
(0) to keep the macro calls function-like.
Anyway, you should have mentioned in the commit message that your aim is
to fix this uncommon warning.
> I don't know how others are working, but I use to work in a way where
> such warnings are shown in the editor and in lists in the IDE
> even without compilation. Now - when you have a code file that
> generates like 20, 50 or more warnings, it's much harder to spot
> those warnings that might be really relevant and hinting at a mistake,
> and you might be just too lazy to go through them each time.
>
> The clang diagnostics have been helpful in spotting some actual
> issues in this very file. That's why I consider it worthwhile
> to also eliminate such "non-issues".
>
I also work like that; e.g. my recent ac3.h header patchset was inspired
by clangd not liking cycles in header inclusions ("In included file:
main file cannot be included recursively when building a preamble").
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use
2022-05-16 8:48 ` Andreas Rheinhardt
@ 2022-05-16 22:03 ` Soft Works
0 siblings, 0 replies; 68+ messages in thread
From: Soft Works @ 2022-05-16 22:03 UTC (permalink / raw)
To: FFmpeg development discussions and patches
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Andreas Rheinhardt
> Sent: Monday, May 16, 2022 10:49 AM
> To: ffmpeg-devel@ffmpeg.org
> Subject: Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix
> macro definition and use
>
> Soft Works:
> >
> >
> >> -----Original Message-----
> >> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> >> Andreas Rheinhardt
> >> Sent: Sunday, May 15, 2022 8:12 PM
> >> To: ffmpeg-devel@ffmpeg.org
> >> Subject: Re: [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec:
> fix
> >> macro definition and use
> >>
> >> softworkz:
> >>> From: softworkz <softworkz@hotmail.com>
> >>>
> >>> Signed-off-by: softworkz <softworkz@hotmail.com>
> >>> ---
> >>> libavformat/asfdec_f.c | 24 ++++++++++++------------
> >>> 1 file changed, 12 insertions(+), 12 deletions(-)
> >>>
> >>> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> >>> index 81a29f99d5..91c3874ac7 100644
> >>> --- a/libavformat/asfdec_f.c
> >>> +++ b/libavformat/asfdec_f.c
> >>> @@ -906,21 +906,21 @@ static int asf_read_header(AVFormatContext
> *s)
> >>> }
> >>>
> >>> #define DO_2BITS(bits, var, defval) \
> >>> - switch (bits & 3) { \
> >>> + switch ((bits) & 3) { \
> >>> case 3: \
> >>> - var = avio_rl32(pb); \
> >>> + (var) = avio_rl32(pb); \
> >>> rsize += 4; \
> >>> break; \
> >>> case 2: \
> >>> - var = avio_rl16(pb); \
> >>> + (var) = avio_rl16(pb); \
> >>> rsize += 2; \
> >>> break; \
> >>> case 1: \
> >>> - var = avio_r8(pb); \
> >>> + (var) = avio_r8(pb); \
> >>> rsize++; \
> >>> break; \
> >>> default: \
> >>> - var = defval; \
> >>> + (var) = (defval); \
> >>> break; \
> >>> }
> >>>
> >>> @@ -1003,9 +1003,9 @@ static int asf_get_packet(AVFormatContext
> *s,
> >> AVIOContext *pb)
> >>> asf->packet_flags = c;
> >>> asf->packet_property = d;
> >>>
> >>> - DO_2BITS(asf->packet_flags >> 5, packet_length, s-
> >>> packet_size);
> >>> - DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence
> >> ignored
> >>> - DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding
> length
> >>> + DO_2BITS(asf->packet_flags >> 5, packet_length, s-
> >packet_size)
> >>> + DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence
> >> ignored
> >>> + DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding
> length
> >>>
> >>> // the following checks prevent overflows and infinite loops
> >>> if (!packet_length || packet_length >= (1U << 29)) {
> >>> @@ -1066,9 +1066,9 @@ static int
> >> asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
> >>> asf->stream_index = asf->asfid2avid[num & 0x7f];
> >>> asfst = &asf->streams[num & 0x7f];
> >>> // sequence should be ignored!
> >>> - DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
> >>> - DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset,
> >> 0);
> >>> - DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
> >>> + DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
> >>> + DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset,
> 0)
> >>> + DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
> >>> av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d
> >> replic_size:%d num:%X packet_property %X\n",
> >>> asf->packet_key_frame, asf->stream_index, asf-
> >>> packet_seq,
> >>> asf->packet_frag_offset, asf->packet_replic_size,
> num,
> >> asf->packet_property);
> >>> @@ -1144,7 +1144,7 @@ static int
> >> asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
> >>> return AVERROR_INVALIDDATA;
> >>> }
> >>> if (asf->packet_flags & 0x01) {
> >>> - DO_2BITS(asf->packet_segsizetype >> 6, asf-
> >>> packet_frag_size, 0); // 0 is illegal
> >>> + DO_2BITS(asf->packet_segsizetype >> 6, asf-
> >>> packet_frag_size, 0) // 0 is illegal
> >>> if (rsize > asf->packet_size_left) {
> >>> av_log(s, AV_LOG_ERROR, "packet_replic_size is
> >> invalid\n");
> >>> return AVERROR_INVALIDDATA;
> >>
> >> While protecting macro arguments is good, it is not really a "fix"
> >> unless current usage is buggy.
> >
> > Ok, I will rephrase the commit message.
> >
> >> Which it isn't here, because >> has higher precedence than &.
> >
> > Could you explain which change you are referring to?
> >
>
> Putting "bits" in parentheses. It doesn't change anything, because >>
> has higher precedence than &.
Ah, that's what you mean. I didn't even look at the usages of
the macro, because I think a macro should be safe intrinsically,
not only based on its current usages.
Actually this had also caught my attention due to a clang warning:
https://releases.llvm.org/13.0.0/tools/clang/tools/extra/docs/clang-tidy/checks/bugprone-macro-parentheses.html
> > All this patch does is to put macro variables in brackets
> > and remove semicolons..
> >
> >> Furthermore I am not really sure whether removing the ';' is even
> >> something worthwhile; they are surely unnecessary (being null
> >> statements), but does this matter?
> >
> > It causes a warning
> >
> >
> https://releases.llvm.org/13.0.0/tools/clang/docs/DiagnosticsReference
> .html#wextra-semi-stmt
> >
>
> I don't receive this warning despite using Clang 13.0. Do you have -
> Wall
> or -Wextra or something like that enabled?
I'm using ReSharper C++ which is using clang-tidy from clang 13.0
with -Weverything
What settings do you use?
> IMO a better fix for this would be to wrap the macro in a do {} while
> (0) to keep the macro calls function-like.
Isn't that a bit too... hm.. much/ugly?
> Anyway, you should have mentioned in the commit message that your aim
> is to fix this uncommon warning.
Yes, that makes sense.
> > I don't know how others are working, but I use to work in a way
> where
> > such warnings are shown in the editor and in lists in the IDE
> > even without compilation. Now - when you have a code file that
> > generates like 20, 50 or more warnings, it's much harder to spot
> > those warnings that might be really relevant and hinting at a
> mistake,
> > and you might be just too lazy to go through them each time.
> >
> > The clang diagnostics have been helpful in spotting some actual
> > issues in this very file. That's why I consider it worthwhile
> > to also eliminate such "non-issues".
> >
>
> I also work like that; e.g. my recent ac3.h header patchset was
> inspired
> by clangd not liking cycles in header inclusions ("In included file:
> main file cannot be included recursively when building a preamble").
Yea, I gathered from some of your patches that you must be using
some tooling as well. Would you allow me the question which IDE you
are using?
Thanks a lot,
softworkz
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (9 preceding siblings ...)
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
@ 2022-05-21 5:21 ` ffmpegagent
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 01/10] " softworkz
` (9 more replies)
10 siblings, 10 replies; 68+ messages in thread
From: ffmpegagent @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
The spec allows attachment sizes of up to UINT32_MAX while we can handle
only sizes up to INT32_MAX (in downstream code)
The debug.assert in get_tag didn't really address this, and truncating the
value_len in calling methods cannot be used because the length value is
required in order to continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
v2: Rebased & PING
v3: Adjustments suggested by Michael
v4: 1 of 11 merged, 10 to go..
v5: adjusted commit message of 4/10 as requested
softworkz (10):
libavformat/asf: fix handling of byte array length values
libavformat/asfdec: fix get_value return type and add checks for
libavformat/asfdec: fix type of value_len
libavformat/asfdec: fixing get_tag
libavformat/asfdec: implement parsing of GUID values
libavformat/asfdec: avoid clang warnings
libavformat/asfdec: remove variable redefinition in inner scope
libavformat/asfdec: ensure variables are initialized
libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
libavformat/asfdec: fix variable types and add checks for unsupported
values
libavformat/asf.c | 8 +-
libavformat/asf.h | 2 +-
libavformat/asfdec_f.c | 338 +++++++++++++++++++++++++++--------------
3 files changed, 229 insertions(+), 119 deletions(-)
base-commit: 9ab20b1614194280b862d98dfcdb7b1bcff03329
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-12%2Fsoftworkz%2Fmaster-upstream_asf_4-v5
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-12/softworkz/master-upstream_asf_4-v5
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/12
Range-diff vs v4:
1: 60966b7907 = 1: 7505ffa3c5 libavformat/asf: fix handling of byte array length values
2: 5acab7b52b = 2: f2d0b72bf0 libavformat/asfdec: fix get_value return type and add checks for
3: 97e0d765c9 = 3: 99660db6ef libavformat/asfdec: fix type of value_len
4: 025123f72d = 4: 8aaab15e8b libavformat/asfdec: fixing get_tag
5: 2d01e4dff5 = 5: ba31d01715 libavformat/asfdec: implement parsing of GUID values
6: 33b3d163df ! 6: d171cd5184 libavformat/asfdec: fix macro definition and use
@@ Metadata
Author: softworkz <softworkz@hotmail.com>
## Commit message ##
- libavformat/asfdec: fix macro definition and use
+ libavformat/asfdec: avoid clang warnings
+
+ such as:
+ - bugprone-macro-parentheses
+ - wextra-semi-stmt
Signed-off-by: softworkz <softworkz@hotmail.com>
7: 1509b83f47 = 7: 0d032d9d4c libavformat/asfdec: remove variable redefinition in inner scope
8: fd31b0be2e = 8: 6bdb2d8bec libavformat/asfdec: ensure variables are initialized
9: f8728b1c51 = 9: d510093ed6 libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
10: 78ed5aeb38 = 10: a05986d76b libavformat/asfdec: fix variable types and add checks for unsupported values
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 01/10] libavformat/asf: fix handling of byte array length values
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
` (8 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
The spec allows attachment sizes of up to UINT32_MAX while
we can handle only sizes up to INT32_MAX (in downstream
code)
The debug.assert in get_tag didn't really address this,
and truncating the value_len in calling methods cannot
be used because the length value is required in order to
continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asf.c | 8 +++++++-
libavformat/asf.h | 2 +-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavformat/asf.c b/libavformat/asf.c
index 1285062220..bec7db0c7e 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -139,12 +139,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
}
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len)
+ uint32_t val_len)
{
+ if (val_len > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
+ return 1;
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
return asf_read_picture(s, val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
return get_id3_tag(s, val_len);
+ av_log(s, AV_LOG_DEBUG, "Unsupported byte array in tag %s.\n", name);
return 1;
}
diff --git a/libavformat/asf.h b/libavformat/asf.h
index 01cc4f7a46..4d28560f56 100644
--- a/libavformat/asf.h
+++ b/libavformat/asf.h
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
* is unsupported by this function and 0 otherwise.
*/
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len);
+ uint32_t val_len);
#define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 02/10] libavformat/asfdec: fix get_value return type and add checks for
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 01/10] " softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len softworkz
` (7 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
unsupported values
get_value had a return type of int, which means that reading
QWORDS (case 4) was broken due to truncation of the result from
avio_rl64().
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 57 +++++++++++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 4770a812db..c7c4ba55d6 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -203,7 +203,7 @@ static int asf_probe(const AVProbeData *pd)
/* size of type 2 (BOOL) is 32bit for "Extended Content Description Object"
* but 16 bit for "Metadata Object" and "Metadata Library Object" */
-static int get_value(AVIOContext *pb, int type, int type2_size)
+static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
{
switch (type) {
case ASF_BOOL:
@@ -549,6 +549,8 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num = 0;
+ uint64_t dar_den = 0;
int desc_count, i, ret;
desc_count = avio_rl16(pb);
@@ -568,14 +570,27 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
/* My sample has that stream set to 0 maybe that mean the container.
* ASF stream count starts at 1. I am using 0 to the container value
* since it's unused. */
- if (!strcmp(name, "AspectRatioX"))
- asf->dar[0].num = get_value(s->pb, value_type, 32);
- else if (!strcmp(name, "AspectRatioY"))
- asf->dar[0].den = get_value(s->pb, value_type, 32);
+ if (!strcmp(name, "AspectRatioX")) {
+ dar_num = get_value(s->pb, value_type, 32);
+ if (dar_num > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num);
+ return AVERROR(ENOTSUP);
+ }
+ }
+ else if (!strcmp(name, "AspectRatioY")) {
+ dar_den = get_value(s->pb, value_type, 32);
+ if (dar_den > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den);
+ return AVERROR(ENOTSUP);
+ }
+ }
else
get_tag(s, name, value_type, value_len, 32);
}
+ if (dar_num && dar_den)
+ av_reduce(&asf->dar[0].num, &asf->dar[0].den, dar_num, dar_den, INT_MAX);
+
return 0;
}
@@ -603,6 +618,8 @@ static int asf_read_metadata(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
+ uint64_t dar_num[128] = {0};
+ uint64_t dar_den[128] = {0};
int n, stream_num, name_len_utf16, name_len_utf8, value_len;
int ret, i;
n = avio_rl16(pb);
@@ -630,17 +647,29 @@ static int asf_read_metadata(AVFormatContext *s)
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
- if (!strcmp(name, "AspectRatioX")){
- int aspect_x = get_value(s->pb, value_type, 16);
- if(stream_num < 128)
- asf->dar[stream_num].num = aspect_x;
- } else if(!strcmp(name, "AspectRatioY")){
- int aspect_y = get_value(s->pb, value_type, 16);
- if(stream_num < 128)
- asf->dar[stream_num].den = aspect_y;
- } else {
+ if (!strcmp(name, "AspectRatioX") && stream_num < 128) {
+ dar_num[stream_num] = get_value(s->pb, value_type, 16);
+ if (dar_num[stream_num] > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioX value: %"PRIu64"\n", dar_num[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
+ }
+ else if (!strcmp(name, "AspectRatioY") && stream_num < 128) {
+ dar_den[stream_num] = get_value(s->pb, value_type, 16);
+ if (dar_den[stream_num] > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported AspectRatioY value: %"PRIu64"\n", dar_den[stream_num]);
+ return AVERROR(ENOTSUP);
+ }
+ } else
get_tag(s, name, value_type, value_len, 16);
+
+
+ if (stream_num < 128 && dar_num[stream_num] && dar_den[stream_num]) {
+ av_reduce(&asf->dar[stream_num].num, &asf->dar[stream_num].den, dar_num[stream_num], dar_den[stream_num], INT_MAX);
+ dar_num[stream_num] = 0;
+ dar_den[stream_num] = 0;
}
+
av_freep(&name);
}
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 01/10] " softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 04/10] libavformat/asfdec: fixing get_tag softworkz
` (6 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index c7c4ba55d6..eda7175c96 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
}
}
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
char *value = NULL;
@@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
static int asf_read_content_desc(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
- int len1, len2, len3, len4, len5;
+ uint32_t len1, len2, len3, len4, len5;
len1 = avio_rl16(pb);
len2 = avio_rl16(pb);
@@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
- int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+ int n, name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type;
+ uint32_t value_len;
int ret, i;
n = avio_rl16(pb);
for (i = 0; i < n; i++) {
uint8_t *name;
- int value_type;
avio_rl16(pb); // lang_list_index
- stream_num = avio_rl16(pb);
- name_len_utf16 = avio_rl16(pb);
- value_type = avio_rl16(pb); /* value_type */
- value_len = avio_rl32(pb);
+ stream_num = (uint16_t)avio_rl16(pb);
+ name_len_utf16 = (uint16_t)avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb); /* value_type */
+ value_len = avio_rl32(pb);
- if (value_len < 0 || value_len > UINT16_MAX)
- return AVERROR_INVALIDDATA;
-
- name_len_utf8 = 2*name_len_utf16 + 1;
- name = av_malloc(name_len_utf8);
+ name_len_utf8 = 2 * name_len_utf16 + 1;
+ name = av_malloc(name_len_utf8);
if (!name)
return AVERROR(ENOMEM);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 04/10] libavformat/asfdec: fixing get_tag
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (2 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
` (5 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
These three are closely related and can't be separated easily:
In get_tag, the code was adding 22 bytes (in order to allow
it to hold 64bit numbers as string) to the value len for creating
creating a buffer. This was unnecessarily imposing a
size-constraint on the value_len parameter.
The code in get_tag, was limiting the maximum value_len to
half the size of INT32. This was applied for all value types, even
though it is required only in case of ASF_UNICODE, not for any
other ones (like ASCII).
get_tag was always allocating a buffer regardless of the
datatype, even though this isn't required in case of ASF_BYTE_ARRAY
The check for the return value from ff_asf_handle_byte_array()
being >0 is removed here because the log message is emitted
by the function itself now.
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index eda7175c96..cb7da2d679 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -222,37 +222,63 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
{
ASFContext *asf = s->priv_data;
- char *value = NULL;
int64_t off = avio_tell(s->pb);
-#define LEN 22
-
- av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
+ char *value = NULL;
+ uint64_t required_bufferlen;
+ int buffer_len;
if (!asf->export_xmp && !strncmp(key, "xmp", 3))
goto finish;
- value = av_malloc(2 * len + LEN);
+ switch (type) {
+ case ASF_UNICODE:
+ required_bufferlen = (uint64_t)len * 2 + 1;
+ break;
+ case -1: // ASCII
+ required_bufferlen = (uint64_t)len + 1;
+ break;
+ case ASF_BYTE_ARRAY:
+ ff_asf_handle_byte_array(s, key, len);
+ goto finish;
+ case ASF_BOOL:
+ case ASF_DWORD:
+ case ASF_QWORD:
+ case ASF_WORD:
+ required_bufferlen = 22;
+ break;
+ case ASF_GUID:
+ required_bufferlen = 33;
+ break;
+ default:
+ required_bufferlen = len;
+ break;
+ }
+
+ if (required_bufferlen > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle values > INT32_MAX in tag %s.\n", key);
+ goto finish;
+ }
+
+ buffer_len = (int)required_bufferlen;
+
+ value = av_malloc(buffer_len);
if (!value)
goto finish;
switch (type) {
case ASF_UNICODE:
- avio_get_str16le(s->pb, len, value, 2 * len + 1);
+ avio_get_str16le(s->pb, len, value, buffer_len);
break;
- case -1: // ASCI
- avio_read(s->pb, value, len);
- value[len]=0;
+ case -1: // ASCII
+ avio_read(s->pb, value, buffer_len - 1);
+ value[buffer_len - 1] = 0;
break;
- case ASF_BYTE_ARRAY:
- if (ff_asf_handle_byte_array(s, key, len) > 0)
- av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", key);
- goto finish;
case ASF_BOOL:
case ASF_DWORD:
case ASF_QWORD:
case ASF_WORD: {
uint64_t num = get_value(s->pb, type, type2_size);
- snprintf(value, LEN, "%"PRIu64, num);
+ snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
case ASF_GUID:
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 05/10] libavformat/asfdec: implement parsing of GUID values
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (3 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 04/10] libavformat/asfdec: fixing get_tag softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 06/10] libavformat/asfdec: avoid clang warnings softworkz
` (4 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index cb7da2d679..81a29f99d5 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -281,9 +281,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len,
snprintf(value, buffer_len, "%"PRIu64, num);
break;
}
- case ASF_GUID:
- av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
- goto finish;
+ case ASF_GUID: {
+ ff_asf_guid g;
+ ff_get_guid(s->pb, &g);
+ snprintf(value, buffer_len, "%x", g[0]);
+ break;
+ }
default:
av_log(s, AV_LOG_DEBUG,
"Unsupported value type %d in tag %s.\n", type, key);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 06/10] libavformat/asfdec: avoid clang warnings
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (4 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
` (3 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
such as:
- bugprone-macro-parentheses
- wextra-semi-stmt
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 81a29f99d5..91c3874ac7 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -906,21 +906,21 @@ static int asf_read_header(AVFormatContext *s)
}
#define DO_2BITS(bits, var, defval) \
- switch (bits & 3) { \
+ switch ((bits) & 3) { \
case 3: \
- var = avio_rl32(pb); \
+ (var) = avio_rl32(pb); \
rsize += 4; \
break; \
case 2: \
- var = avio_rl16(pb); \
+ (var) = avio_rl16(pb); \
rsize += 2; \
break; \
case 1: \
- var = avio_r8(pb); \
+ (var) = avio_r8(pb); \
rsize++; \
break; \
default: \
- var = defval; \
+ (var) = (defval); \
break; \
}
@@ -1003,9 +1003,9 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
asf->packet_flags = c;
asf->packet_property = d;
- DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size);
- DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
- DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
+ DO_2BITS(asf->packet_flags >> 5, packet_length, s->packet_size)
+ DO_2BITS(asf->packet_flags >> 1, padsize, 0) // sequence ignored
+ DO_2BITS(asf->packet_flags >> 3, padsize, 0) // padding length
// the following checks prevent overflows and infinite loops
if (!packet_length || packet_length >= (1U << 29)) {
@@ -1066,9 +1066,9 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
asf->stream_index = asf->asfid2avid[num & 0x7f];
asfst = &asf->streams[num & 0x7f];
// sequence should be ignored!
- DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0);
- DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
- DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
+ DO_2BITS(asf->packet_property >> 4, asf->packet_seq, 0)
+ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0)
+ DO_2BITS(asf->packet_property, asf->packet_replic_size, 0)
av_log(asf, AV_LOG_TRACE, "key:%d stream:%d seq:%d offset:%d replic_size:%d num:%X packet_property %X\n",
asf->packet_key_frame, asf->stream_index, asf->packet_seq,
asf->packet_frag_offset, asf->packet_replic_size, num, asf->packet_property);
@@ -1144,7 +1144,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_flags & 0x01) {
- DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
+ DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0) // 0 is illegal
if (rsize > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
return AVERROR_INVALIDDATA;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 07/10] libavformat/asfdec: remove variable redefinition in inner scope
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (5 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 06/10] libavformat/asfdec: avoid clang warnings softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 08/10] libavformat/asfdec: ensure variables are initialized softworkz
` (2 subsequent siblings)
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 91c3874ac7..fae15d9b05 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1191,7 +1191,7 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
return AVERROR_EOF;
if (asf->packet_size_left < FRAME_HEADER_SIZE ||
asf->packet_segments < 1 && asf->packet_time_start == 0) {
- int ret = asf->packet_size_left + asf->packet_padsize;
+ ret = asf->packet_size_left + asf->packet_padsize;
if (asf->packet_size_left && asf->packet_size_left < FRAME_HEADER_SIZE)
av_log(s, AV_LOG_WARNING, "Skip due to FRAME_HEADER_SIZE\n");
@@ -1260,7 +1260,6 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt)
if (asf_st->pkt.size != asf_st->packet_obj_size ||
// FIXME is this condition sufficient?
asf_st->frag_offset + asf->packet_frag_size > asf_st->pkt.size) {
- int ret;
if (asf_st->pkt.data) {
av_log(s, AV_LOG_INFO,
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 08/10] libavformat/asfdec: ensure variables are initialized
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (6 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index fae15d9b05..cb396cccfe 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -978,6 +978,7 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
avio_seek(pb, -1, SEEK_CUR); // FIXME
}
} else {
+ d = e = 0;
c = avio_r8(pb);
if (c & 0x80) {
rsize ++;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (7 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 08/10] libavformat/asfdec: ensure variables are initialized softworkz
@ 2022-05-21 5:21 ` softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index cb396cccfe..95cab8b960 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -324,7 +324,7 @@ static int asf_read_file_properties(AVFormatContext *s)
return 0;
}
-static int asf_read_stream_properties(AVFormatContext *s, int64_t size)
+static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
* [FFmpeg-devel] [PATCH v5 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
` (8 preceding siblings ...)
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
@ 2022-05-21 5:21 ` softworkz
9 siblings, 0 replies; 68+ messages in thread
From: softworkz @ 2022-05-21 5:21 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Michael Niedermayer, softworkz, Andreas Rheinhardt
From: softworkz <softworkz@hotmail.com>
Signed-off-by: softworkz <softworkz@hotmail.com>
---
libavformat/asfdec_f.c | 168 ++++++++++++++++++++++++++---------------
1 file changed, 108 insertions(+), 60 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 95cab8b960..d50682b901 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -333,9 +333,9 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
ASFStream *asf_st;
ff_asf_guid g;
enum AVMediaType type;
- int type_specific_size, sizeX;
- unsigned int tag1;
- int64_t pos1, pos2, start_time;
+ unsigned int tag1, type_specific_size, sizeX;
+ int64_t pos1, pos2;
+ uint32_t start_time;
int test_for_ext_stream_audio, is_dvr_ms_audio = 0;
if (s->nb_streams == ASF_MAX_STREAMS) {
@@ -404,7 +404,14 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
st->codecpar->codec_type = type;
if (type == AVMEDIA_TYPE_AUDIO) {
- int ret = ff_get_wav_header(s, pb, st->codecpar, type_specific_size, 0);
+ int ret;
+
+ if (type_specific_size > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported WAV header size (> INT32_MAX)\n");
+ return AVERROR(ENOTSUP);
+ }
+
+ ret = ff_get_wav_header(s, pb, st->codecpar, (int)type_specific_size, 0);
if (ret < 0)
return ret;
if (is_dvr_ms_audio) {
@@ -434,21 +441,32 @@ static int asf_read_stream_properties(AVFormatContext *s, uint64_t size)
}
} else if (type == AVMEDIA_TYPE_VIDEO &&
size - (avio_tell(pb) - pos1 + 24) >= 51) {
+ unsigned int width, height;
avio_rl32(pb);
avio_rl32(pb);
avio_r8(pb);
avio_rl16(pb); /* size */
- sizeX = avio_rl32(pb); /* size */
- st->codecpar->width = avio_rl32(pb);
- st->codecpar->height = avio_rl32(pb);
+ sizeX = avio_rl32(pb); /* size */
+ width = avio_rl32(pb);
+ height = avio_rl32(pb);
+
+ if (width > INT32_MAX || height > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported video size %dx%d\n", width, height);
+ return AVERROR(ENOTSUP);
+ }
+
+ st->codecpar->width = (int)width;
+ st->codecpar->height = (int)height;
/* not available for asf */
avio_rl16(pb); /* panes */
st->codecpar->bits_per_coded_sample = avio_rl16(pb); /* depth */
tag1 = avio_rl32(pb);
avio_skip(pb, 20);
if (sizeX > 40) {
- if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
- return AVERROR_INVALIDDATA;
+ if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported extradata size\n");
+ return AVERROR(ENOTSUP);
+ }
st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40);
st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size +
AV_INPUT_BUFFER_PADDING_SIZE);
@@ -500,9 +518,9 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
ff_asf_guid g;
- int ext_len, payload_ext_ct, stream_ct, i;
- uint32_t leak_rate, stream_num;
- unsigned int stream_languageid_index;
+ uint16_t payload_ext_ct, stream_ct, i;
+ uint32_t leak_rate, ext_len;
+ uint16_t stream_languageid_index, stream_num;
avio_rl64(pb); // starttime
avio_rl64(pb); // endtime
@@ -514,15 +532,15 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
avio_rl32(pb); // alt-init-bucket-fullness
avio_rl32(pb); // max-object-size
avio_rl32(pb); // flags (reliable,seekable,no_cleanpoints?,resend-live-cleanpoints, rest of bits reserved)
- stream_num = avio_rl16(pb); // stream-num
+ stream_num = (uint16_t)avio_rl16(pb); // stream-num
- stream_languageid_index = avio_rl16(pb); // stream-language-id-index
+ stream_languageid_index = (uint16_t)avio_rl16(pb); // stream-language-id-index
if (stream_num < 128)
asf->streams[stream_num].stream_language_index = stream_languageid_index;
avio_rl64(pb); // avg frametime in 100ns units
- stream_ct = avio_rl16(pb); // stream-name-count
- payload_ext_ct = avio_rl16(pb); // payload-extension-system-count
+ stream_ct = (uint16_t)avio_rl16(pb); // stream-name-count
+ payload_ext_ct = (uint16_t)avio_rl16(pb); // payload-extension-system-count
if (stream_num < 128) {
asf->stream_bitrates[stream_num] = leak_rate;
@@ -536,12 +554,10 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
}
for (i = 0; i < payload_ext_ct; i++) {
- int size;
+ uint16_t size;
ff_get_guid(pb, &g);
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
ext_len = avio_rl32(pb);
- if (ext_len < 0)
- return AVERROR_INVALIDDATA;
avio_skip(pb, ext_len);
if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
ASFPayload *p = &asf->streams[stream_num].payload[i];
@@ -580,20 +596,21 @@ static int asf_read_ext_content_desc(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num = 0;
uint64_t dar_den = 0;
- int desc_count, i, ret;
+ uint16_t desc_count, i;
+ int ret;
- desc_count = avio_rl16(pb);
+ desc_count = (uint16_t)avio_rl16(pb);
for (i = 0; i < desc_count; i++) {
- int name_len, value_type, value_len;
+ uint16_t name_len, value_type, value_len;
char name[1024];
- name_len = avio_rl16(pb);
+ name_len = (uint16_t)avio_rl16(pb);
if (name_len % 2) // must be even, broken lavf versions wrote len-1
name_len += 1;
if ((ret = avio_get_str16le(pb, name_len, name, sizeof(name))) < name_len)
avio_skip(pb, name_len - ret);
- value_type = avio_rl16(pb);
- value_len = avio_rl16(pb);
+ value_type = (uint16_t)avio_rl16(pb);
+ value_len = (uint16_t)avio_rl16(pb);
if (!value_type && value_len % 2)
value_len += 1;
/* My sample has that stream set to 0 maybe that mean the container.
@@ -627,14 +644,16 @@ static int asf_read_language_list(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int j, ret;
- int stream_count = avio_rl16(pb);
+ int ret;
+ uint16_t j;
+ const uint16_t stream_count = (uint16_t)avio_rl16(pb);
+
for (j = 0; j < stream_count; j++) {
char lang[6];
- unsigned int lang_len = avio_r8(pb);
+ const uint8_t lang_len = (uint8_t)avio_r8(pb);
if ((ret = avio_get_str16le(pb, lang_len, lang,
sizeof(lang))) < lang_len)
- avio_skip(pb, lang_len - ret);
+ avio_skip(pb, (int)lang_len - ret);
if (j < 128)
av_strlcpy(asf->stream_languages[j], lang,
sizeof(*asf->stream_languages));
@@ -649,14 +668,14 @@ static int asf_read_metadata(AVFormatContext *s)
ASFContext *asf = s->priv_data;
uint64_t dar_num[128] = {0};
uint64_t dar_den[128] = {0};
- int n, name_len_utf8;
- uint16_t stream_num, name_len_utf16, value_type;
+ int name_len_utf8;
+ uint16_t stream_num, name_len_utf16, value_type, i, n;
uint32_t value_len;
- int ret, i;
- n = avio_rl16(pb);
+ int ret;
+ n = (uint16_t)avio_rl16(pb);
for (i = 0; i < n; i++) {
- uint8_t *name;
+ char *name;
avio_rl16(pb); // lang_list_index
stream_num = (uint16_t)avio_rl16(pb);
@@ -670,7 +689,7 @@ static int asf_read_metadata(AVFormatContext *s)
return AVERROR(ENOMEM);
if ((ret = avio_get_str16le(pb, name_len_utf16, name, name_len_utf8)) < name_len_utf16)
- avio_skip(pb, name_len_utf16 - ret);
+ avio_skip(pb, (int)name_len_utf16 - ret);
av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
i, stream_num, name_len_utf16, value_type, value_len, name);
@@ -707,19 +726,21 @@ static int asf_read_marker(AVFormatContext *s)
{
AVIOContext *pb = s->pb;
ASFContext *asf = s->priv_data;
- int i, count, name_len, ret;
+ int ret;
+ unsigned count, i;
+ uint16_t name_len;
char name[1024];
avio_rl64(pb); // reserved 16 bytes
avio_rl64(pb); // ...
count = avio_rl32(pb); // markers count
avio_rl16(pb); // reserved 2 bytes
- name_len = avio_rl16(pb); // name length
+ name_len = (uint16_t)avio_rl16(pb); // name length
avio_skip(pb, name_len);
for (i = 0; i < count; i++) {
- int64_t pres_time;
- int name_len;
+ uint64_t pres_time;
+ unsigned name2_len;
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
@@ -730,13 +751,18 @@ static int asf_read_marker(AVFormatContext *s)
avio_rl16(pb); // entry length
avio_rl32(pb); // send time
avio_rl32(pb); // flags
- name_len = avio_rl32(pb); // name length
- if ((unsigned)name_len > INT_MAX / 2)
+ name2_len = avio_rl32(pb); // name length
+ if (name2_len > INT_MAX / 2)
return AVERROR_INVALIDDATA;
- if ((ret = avio_get_str16le(pb, name_len * 2, name,
- sizeof(name))) < name_len)
- avio_skip(pb, name_len - ret);
- avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, pres_time,
+ if ((ret = avio_get_str16le(pb, (int)name2_len, name,
+ sizeof(name))) < name2_len)
+ avio_skip(pb, name2_len - ret);
+
+ if (pres_time > INT64_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported presentation time value: %"PRIu64"\n", pres_time);
+ return AVERROR(ENOTSUP);
+ }
+ avpriv_new_chapter(s, i, (AVRational) { 1, 10000000 }, (int64_t)pres_time,
AV_NOPTS_VALUE, name);
}
@@ -749,7 +775,7 @@ static int asf_read_header(AVFormatContext *s)
ff_asf_guid g;
AVIOContext *pb = s->pb;
int i;
- int64_t gsize;
+ uint64_t gsize;
ff_get_guid(pb, &g);
if (ff_guidcmp(&g, &ff_asf_header))
@@ -764,7 +790,7 @@ static int asf_read_header(AVFormatContext *s)
asf->streams[i].stream_language_index = 128; // invalid stream index means no language info
for (;;) {
- uint64_t gpos = avio_tell(pb);
+ const int64_t gpos = avio_tell(pb);
int ret = 0;
ff_get_guid(pb, &g);
gsize = avio_rl64(pb);
@@ -819,7 +845,12 @@ static int asf_read_header(AVFormatContext *s)
len= avio_rl32(pb);
av_log(s, AV_LOG_DEBUG, "Secret data:\n");
- if ((ret = av_get_packet(pb, pkt, len)) < 0)
+ if (len > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported encryption packet length: %d\n", len);
+ return AVERROR(ENOTSUP);
+ }
+
+ if ((ret = av_get_packet(pb, pkt, (int)len)) < 0)
return ret;
av_hex_dump_log(s, AV_LOG_DEBUG, pkt->data, pkt->size);
av_packet_unref(pkt);
@@ -933,7 +964,7 @@ static int asf_read_header(AVFormatContext *s)
static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
{
ASFContext *asf = s->priv_data;
- uint32_t packet_length, padsize;
+ uint32_t packet_length, packet_ts, padsize;
int rsize = 8;
int c, d, e, off;
@@ -1021,7 +1052,12 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
- asf->packet_timestamp = avio_rl32(pb);
+ packet_ts = avio_rl32(pb);
+ if (packet_ts > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_timestamp value: %d\n", packet_ts);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_timestamp = (int)packet_ts;
avio_rl16(pb); /* duration */
// rsize has at least 11 bytes which have to be present
@@ -1040,10 +1076,21 @@ static int asf_get_packet(AVFormatContext *s, AVIOContext *pb)
rsize, packet_length, padsize, avio_tell(pb));
return AVERROR_INVALIDDATA;
}
- asf->packet_size_left = packet_length - padsize - rsize;
+
+ if (packet_length - padsize - rsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet_size_left value: %d\n", packet_length - padsize - rsize);
+ return AVERROR(ENOTSUP);
+ }
+ asf->packet_size_left = (int)(packet_length - padsize - rsize);
+
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
- asf->packet_padsize = padsize;
+ if (padsize > INT32_MAX) {
+ av_log(s, AV_LOG_DEBUG, "Unsupported packet padsize value: %d\n", padsize);
+ return AVERROR(ENOTSUP);
+ }
+
+ asf->packet_padsize = (int)padsize;
av_log(s, AV_LOG_TRACE, "packet: size=%d padsize=%d left=%d\n",
s->packet_size, asf->packet_padsize, asf->packet_size_left);
return 0;
@@ -1078,22 +1125,23 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb)
return AVERROR_INVALIDDATA;
}
if (asf->packet_replic_size >= 8) {
- int64_t end = avio_tell(pb) + asf->packet_replic_size;
+ const int64_t end = avio_tell(pb) + asf->packet_replic_size;
AVRational aspect;
- asfst->packet_obj_size = avio_rl32(pb);
- if (asfst->packet_obj_size >= (1 << 24) || asfst->packet_obj_size < 0) {
+ const unsigned packet_obj_size = avio_rl32(pb);
+ if (packet_obj_size >= (1 << 24)) {
av_log(s, AV_LOG_ERROR, "packet_obj_size %d invalid\n", asfst->packet_obj_size);
asfst->packet_obj_size = 0;
return AVERROR_INVALIDDATA;
}
+ asfst->packet_obj_size = (int)packet_obj_size;
asf->packet_frag_timestamp = avio_rl32(pb); // timestamp
for (i = 0; i < asfst->payload_ext_ct; i++) {
ASFPayload *p = &asfst->payload[i];
- int size = p->size;
+ uint16_t size = p->size;
int64_t payend;
if (size == 0xFFFF)
- size = avio_rl16(pb);
+ size = (uint16_t)avio_rl16(pb);
payend = avio_tell(pb) + size;
if (payend > end) {
av_log(s, AV_LOG_ERROR, "too long payload\n");
@@ -1494,7 +1542,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
ASFStream *asf_st;
int64_t pts;
int64_t pos = *ppos;
- int i;
+ unsigned i;
int64_t start_pos[ASF_MAX_STREAMS];
for (i = 0; i < s->nb_streams; i++)
@@ -1551,7 +1599,7 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
int64_t ret;
if((ret = avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET)) < 0) {
- return ret;
+ return (int)ret;
}
if ((ret = ff_get_guid(s->pb, &g)) < 0)
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 68+ messages in thread
end of thread, other threads:[~2022-05-21 5:23 UTC | newest]
Thread overview: 68+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-22 15:13 [PATCH 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2021-12-22 15:13 ` [PATCH 01/11] " ffmpegagent
2021-12-22 15:13 ` [PATCH 02/11] libavformat/asfdec: fix get_value return type and add checks for ffmpegagent
2021-12-22 15:13 ` [PATCH 03/11] libavformat/asfdec: fix type of value_len ffmpegagent
2021-12-22 15:13 ` [PATCH 04/11] libavformat/asfdec: fixing get_tag ffmpegagent
2021-12-22 15:13 ` [PATCH 05/11] libavformat/asfdec: implement parsing of GUID values ffmpegagent
2021-12-22 15:13 ` [PATCH 06/11] libavformat/asfdec: remove unused parameters ffmpegagent
2021-12-22 18:16 ` Soft Works
2021-12-22 15:13 ` [PATCH 07/11] libavformat/asfdec: fix macro definition and use ffmpegagent
2021-12-22 16:23 ` Soft Works
2021-12-22 15:13 ` [PATCH 08/11] libavformat/asfdec: remove variable redefinition in inner scope ffmpegagent
2021-12-22 15:13 ` [PATCH 09/11] libavformat/asfdec: ensure variables are initialized ffmpegagent
2021-12-22 15:13 ` [PATCH 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() ffmpegagent
2021-12-22 15:13 ` [PATCH 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 01/11] " softworkz
2022-05-07 18:48 ` Michael Niedermayer
2022-05-08 2:27 ` Soft Works
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-07 18:57 ` Michael Niedermayer
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 03/11] libavformat/asfdec: fix type of value_len softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 04/11] libavformat/asfdec: fixing get_tag softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 06/11] libavformat/asfdec: remove unused parameters softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 07/11] libavformat/asfdec: fix macro definition and use softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 09/11] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-07 9:36 ` [FFmpeg-devel] [PATCH v2 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 00/11] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 01/11] " softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 02/11] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 03/11] libavformat/asfdec: fix type of value_len softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 04/11] libavformat/asfdec: fixing get_tag softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 05/11] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 06/11] libavformat/asfdec: remove unused parameters softworkz
2022-05-08 18:50 ` Michael Niedermayer
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 07/11] libavformat/asfdec: fix macro definition and use softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 08/11] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 09/11] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 10/11] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-08 3:01 ` [FFmpeg-devel] [PATCH v3 11/11] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 01/10] " softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 03/10] libavformat/asfdec: fix type of value_len softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 04/10] libavformat/asfdec: fixing get_tag softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 06/10] libavformat/asfdec: fix macro definition and use softworkz
2022-05-15 18:12 ` Andreas Rheinhardt
2022-05-15 22:51 ` Soft Works
2022-05-16 8:48 ` Andreas Rheinhardt
2022-05-16 22:03 ` Soft Works
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 08/10] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-14 20:55 ` [FFmpeg-devel] [PATCH v4 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 00/10] libavformat/asf: fix handling of byte array length values ffmpegagent
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 01/10] " softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 02/10] libavformat/asfdec: fix get_value return type and add checks for softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 04/10] libavformat/asfdec: fixing get_tag softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 05/10] libavformat/asfdec: implement parsing of GUID values softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 06/10] libavformat/asfdec: avoid clang warnings softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 07/10] libavformat/asfdec: remove variable redefinition in inner scope softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 08/10] libavformat/asfdec: ensure variables are initialized softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 09/10] libavformat/asfdec: fix parameter type in asf_read_stream_propertie() softworkz
2022-05-21 5:21 ` [FFmpeg-devel] [PATCH v5 10/10] libavformat/asfdec: fix variable types and add checks for unsupported values softworkz
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git