Re: [FFmpeg-devel] [PATCH] nutdec: check maxpos in read_sm_data before reading count

Fri, 26 Jun 2015 10:29:02 -0700 

On 26.06.2015 01:36, Michael Niedermayer wrote:
> On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote:
>> Otherwise sm_size can be larger than size, which results in a negative
>> packet size.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavformat/nutdec.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> 
> 
>>
>> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
>> index 13fb399..43bd27b 100644
>> --- a/libavformat/nutdec.c
>> +++ b/libavformat/nutdec.c
>> @@ -888,7 +888,7 @@ fail:
>>  
>>  static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, 
>> int is_meta, int64_t maxpos)
>>  {
>> -    int count = ffio_read_varlen(bc);
>> +    int count;
>>      int skip_start = 0;
>>      int skip_end = 0;
>>      int channels = 0;
>> @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext 
>> *bc, AVPacket *pkt, int
>>      int height = 0;
>>      int i, ret;
>>  
>> +    if (avio_tell(bc) >= maxpos)
>> +        return AVERROR_INVALIDDATA;
>> +
>> +    count = ffio_read_varlen(bc);
> 
> ffio_read_varlen() could move the position beyond maxpos yet return
> 0 so the loop with teh checks inside is skiped

That is exactly the problem, because then sm_size can be larger than size.
An alternative would be to directly check for that, like in attached patch.

Best regards,
Andreas

>From 25322c14b9ca46cc1c841dfdcc37ee42d16ea639 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Fri, 26 Jun 2015 19:25:05 +0200
Subject: [PATCH] nutdec: ensure non-negative packet size

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavformat/nutdec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 13fb399..3d6fb64 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1136,6 +1136,12 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
             goto fail;
         }
         sm_size = avio_tell(bc) - pkt->pos;
+        if (size < sm_size) {
+            av_log(s, AV_LOG_ERROR, "size %d smaller than sm_size %d\n",
+                   size, sm_size);
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         size      -= sm_size;
         pkt->size -= sm_size;
     }
-- 
2.1.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to