Re: [FFmpeg-devel] [PATCH] ffmdec: sanitize codec parameters

Wed, 16 Nov 2016 17:27:04 -0800 

On Thu, Nov 17, 2016 at 01:08:31AM +0100, Andreas Cadhalpun wrote:
> All the fields can be set via options read from the ffm file and thus
> have to be sanitized.
> 
> A negative extradata size for example gets passed to memcpy in
> avcodec_parameters_from_context causing a segmentation fault.
> 
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
> 
> The other fields like qmin etc. seem to be completely ignored since the
> switch to codecpar, except possibly by ffserver.
> 
> ---
>  libavformat/ffmdec.c | 138 
> +++++++++++++++++++++++++++++++++++++--------------
>  1 file changed, 102 insertions(+), 36 deletions(-)
> 
> diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
> index 6b09be2..e66ba5c 100644
> --- a/libavformat/ffmdec.c
> +++ b/libavformat/ffmdec.c
> @@ -21,6 +21,7 @@
>  
>  #include <stdint.h>
>  
> +#include "libavutil/imgutils.h"
>  #include "libavutil/internal.h"
>  #include "libavutil/intreadwrite.h"
>  #include "libavutil/intfloat.h"
> @@ -28,6 +29,7 @@
>  #include "libavutil/avassert.h"
>  #include "libavutil/avstring.h"
>  #include "libavutil/pixdesc.h"
> +#include "libavcodec/internal.h"
>  #include "avformat.h"
>  #include "internal.h"
>  #include "ffm.h"
> @@ -277,6 +279,55 @@ static int ffm_append_recommended_configuration(AVStream 
> *st, char **conf)
>      return 0;
>  }
>  
> +#define SANITIZE_PARAMETER(parameter, name, check, default) {                
>      \
> +    if (check) {                                                             
>      \
> +        av_log(codec, AV_LOG_WARNING, "Invalid " name " %d\n", 
> codec->parameter); \
> +        codec->parameter = default;                                          
>      \
> +    }                                                                        
>      \
> +}
> +
> +static void ffm_sanitize_parameters(AVCodecContext *codec)
> +{
> +    if (codec->time_base.num < 0 || codec->time_base.den <= 0) {
> +        av_log(codec, AV_LOG_WARNING, "Invalid time base %d/%d\n",
> +               codec->time_base.num, codec->time_base.den);
> +        codec->time_base.num = 0;
> +        codec->time_base.den = 1;
> +    }
> +    if (codec->bit_rate < 0) {
> +        av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", 
> codec->bit_rate);
> +        codec->bit_rate = 0;
> +    }
> +    if ((codec->width || codec->height) && av_image_check_size(codec->width, 
> codec->height, 0, codec) < 0) {
> +        codec->width = 0;
> +        codec->height = 0;
> +    }
> +    if (codec->sample_aspect_ratio.num < 0 || codec->sample_aspect_ratio.den 
> < 0) {
> +        av_log(codec, AV_LOG_WARNING, "Invalid sample aspect ratio %d/%d\n",
> +               codec->sample_aspect_ratio.num, 
> codec->sample_aspect_ratio.den);
> +        codec->sample_aspect_ratio.num = 0;
> +        codec->sample_aspect_ratio.den = 1;
> +    }
> +    SANITIZE_PARAMETER(pix_fmt,                "pixel format",               
>      codec->pix_fmt < AV_PIX_FMT_NONE || codec->pix_fmt > AV_PIX_FMT_NB,      
>        AV_PIX_FMT_NONE)
> +    SANITIZE_PARAMETER(bits_per_coded_sample,  "bits per coded sample",      
>      codec->bits_per_coded_sample < 0,                                        
>        0)
> +    SANITIZE_PARAMETER(bits_per_raw_sample,    "bits per raw sample",        
>      codec->bits_per_raw_sample < 0,                                          
>        0)
> +    SANITIZE_PARAMETER(extradata_size,         "extradata size",             
>      codec->extradata_size < 0 || codec->extradata_size >= 
> FF_MAX_EXTRADATA_SIZE,    0)
> +    SANITIZE_PARAMETER(color_range,            "color range",                
>      (unsigned)codec->color_range > AVCOL_RANGE_NB,                           
>        AVCOL_RANGE_UNSPECIFIED)
> +    SANITIZE_PARAMETER(color_primaries,        "color primaries",            
>      (unsigned)codec->color_primaries > AVCOL_PRI_NB,                         
>        AVCOL_PRI_UNSPECIFIED)
> +    SANITIZE_PARAMETER(color_trc,              "color transfer 
> characteristics ", (unsigned)codec->color_trc > AVCOL_TRC_NB,                 
>                      AVCOL_TRC_UNSPECIFIED)
> +    SANITIZE_PARAMETER(colorspace,             "color space",                
>      (unsigned)codec->colorspace > AVCOL_SPC_NB,                              
>        AVCOL_SPC_UNSPECIFIED)
> +    SANITIZE_PARAMETER(chroma_sample_location, "chroma location",            
>      (unsigned)codec->chroma_sample_location > AVCHROMA_LOC_NB,               
>        AVCHROMA_LOC_UNSPECIFIED)
> +    SANITIZE_PARAMETER(has_b_frames,           "video delay",                
>      codec->has_b_frames < 0,                                                 
>        0)
> +    SANITIZE_PARAMETER(sample_fmt,             "sample format",              
>      codec->sample_fmt < AV_SAMPLE_FMT_NONE || codec->sample_fmt > 
> AV_SAMPLE_FMT_NB, AV_SAMPLE_FMT_NONE)

This breaks API/ABI
for example AVCOL_SPC_NB is not part of the public API of libavutil
one should be able to use av_color_space_name() to detect invalid color
spaces

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Opposition brings concord. Out of discord comes the fairest harmony.
-- Heraclitus

Attachment: signature.asc
Description: Digital signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to