apetag: Improve APE tag size check
On Tue, Sep 16, 2014 at 01:40:24AM +0200, Katerina Barone-Adesi wrote:
> The size variable is (correctly) unsigned, but is passed to several functions
> which take signed parameters, such as avio_read, sometimes after having
> numbers added to it. This patch prevents unwanted implementation-defined
> behaviour, while retaining the idea behind the original bounds check.
What Luca tried to point out was to place the CC: libav-stable thing
directly in the log message. Git will figure out the right thing to
do.
> diff --git a/libavformat/apetag.c b/libavformat/apetag.c
> index 22884ef..bd8d0ed 100644
> --- a/libavformat/apetag.c
> +++ b/libavformat/apetag.c
> @@ -57,8 +57,10 @@ static int ape_tag_read_field(AVFormatContext *s)
> av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key);
> return -1;
> }
> - if (size >= UINT_MAX)
> - return -1;
> + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) {
> + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n");
> + return AVERROR_INVALIDDATA;
> + }
I don't see much that is implementation-defined. size is a uint32_t
variable, so UINT_MAX can be considerably larger on 64-bit systems.
Even on 32-bit systems, unsigned types can always hold larger positive
values than signed types.
Diego
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
