Re: [FFmpeg-devel] [PATCH] nutdec: check maxpos in read_sm_data before reading count

Sat, 27 Jun 2015 08:54:06 -0700 

On 27.06.2015 02:31, Michael Niedermayer wrote:
> On Fri, Jun 26, 2015 at 07:28:36PM +0200, Andreas Cadhalpun wrote:
>> On 26.06.2015 01:36, Michael Niedermayer wrote:
>>> On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote:
>>>> Otherwise sm_size can be larger than size, which results in a negative
>>>> packet size.
>>>>
>>>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>>>> ---
>>>>  libavformat/nutdec.c | 7 ++++++-
>>>>  1 file changed, 6 insertions(+), 1 deletion(-)
>>>
>>>
>>>
>>>>
>>>> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
>>>> index 13fb399..43bd27b 100644
>>>> --- a/libavformat/nutdec.c
>>>> +++ b/libavformat/nutdec.c
>>>> @@ -888,7 +888,7 @@ fail:
>>>>  
>>>>  static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket 
>>>> *pkt, int is_meta, int64_t maxpos)
>>>>  {
>>>> -    int count = ffio_read_varlen(bc);
>>>> +    int count;
>>>>      int skip_start = 0;
>>>>      int skip_end = 0;
>>>>      int channels = 0;
>>>> @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, 
>>>> AVIOContext *bc, AVPacket *pkt, int
>>>>      int height = 0;
>>>>      int i, ret;
>>>>  
>>>> +    if (avio_tell(bc) >= maxpos)
>>>> +        return AVERROR_INVALIDDATA;
>>>> +
>>>> +    count = ffio_read_varlen(bc);
>>>
>>> ffio_read_varlen() could move the position beyond maxpos yet return
>>> 0 so the loop with teh checks inside is skiped
>>
>> That is exactly the problem, because then sm_size can be larger than size.
>> An alternative would be to directly check for that, like in attached patch.
> 
> wouldnt checking after the loop im read_sm_data() before returning
> success be more robust ?
> It would exit sooner if the problem occurs in the first call
> and avoid potential integer overflows

OK, new patch attached.

> but iam fine with any solution that works

Me too.

Best regards,
Andreas


>From 4e10305531d162fff2a7daac49cc046c771909a9 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sat, 27 Jun 2015 17:50:56 +0200
Subject: [PATCH] nutdec: check maxpos in read_sm_data before returning success

Otherwise sm_size can be larger than size, which results in a negative
packet size.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavformat/nutdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 13fb399..606deaa 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1005,6 +1005,9 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
         AV_WL32(dst+4, skip_end);
     }
 
+    if (avio_tell(bc) >= maxpos)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
-- 
2.1.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to