Re: [FFmpeg-devel] [PATCH 1/3] avformat/matroskadec: Sanitize SeekHead entries
Andreas Rheinhardt: > Andreas Rheinhardt: >> A Seek element in a Matroska SeekHead should contain a SeekID and a >> SeekPosition element and upon reading, they should be sanitized: >> >> Given that IDs are restricted to 32 bit, longer SeekIDs should be treated >> as invalid. Instead currently the lower 32 bits have been used. >> >> For SeekPosition, no checks were performed for the element to be >> present and if present, whether it was excessively large (i.e. the >> absolute file position described by it exceeding INT64_MAX). The >> SeekPosition element had a default value of -1 which means that a check >> seems to have been intended; but it was not implemented. This commit adds >> a check for overflow to the calculation of the absolute file position of >> the referenced level 1 elements. >> Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that >> a Seek element without SeekPosition will run afoul of this check. >> >> Signed-off-by: Andreas Rheinhardt >> --- >> libavformat/matroskadec.c | 6 +- >> 1 file changed, 5 insertions(+), 1 deletion(-) >> >> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c >> index 8e1326abf6..dea8f14f9e 100644 >> --- a/libavformat/matroskadec.c >> +++ b/libavformat/matroskadec.c >> @@ -1865,8 +1865,12 @@ static void >> matroska_execute_seekhead(MatroskaDemuxContext *matroska) >> MatroskaSeekhead *seekheads = seekhead_list->elem; >> uint32_t id = seekheads[i].id; >> int64_t pos = seekheads[i].pos + matroska->segment_start; >> +MatroskaLevel1Element *elem; >> >> -MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, >> id); >> +if (id != seekheads[i].id || pos < matroska->segment_start) >> +continue; >> + >> +elem = matroska_find_level1_elem(matroska, id); >> if (!elem || elem->parsed) >> continue; >> > Will apply this patchset tomorrow if there are no objections. > > - Andreas > Applied. - Andreas ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/3] avformat/matroskadec: Sanitize SeekHead entries
Andreas Rheinhardt: > A Seek element in a Matroska SeekHead should contain a SeekID and a > SeekPosition element and upon reading, they should be sanitized: > > Given that IDs are restricted to 32 bit, longer SeekIDs should be treated > as invalid. Instead currently the lower 32 bits have been used. > > For SeekPosition, no checks were performed for the element to be > present and if present, whether it was excessively large (i.e. the > absolute file position described by it exceeding INT64_MAX). The > SeekPosition element had a default value of -1 which means that a check > seems to have been intended; but it was not implemented. This commit adds > a check for overflow to the calculation of the absolute file position of > the referenced level 1 elements. > Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that > a Seek element without SeekPosition will run afoul of this check. > > Signed-off-by: Andreas Rheinhardt > --- > libavformat/matroskadec.c | 6 +- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > index 8e1326abf6..dea8f14f9e 100644 > --- a/libavformat/matroskadec.c > +++ b/libavformat/matroskadec.c > @@ -1865,8 +1865,12 @@ static void > matroska_execute_seekhead(MatroskaDemuxContext *matroska) > MatroskaSeekhead *seekheads = seekhead_list->elem; > uint32_t id = seekheads[i].id; > int64_t pos = seekheads[i].pos + matroska->segment_start; > +MatroskaLevel1Element *elem; > > -MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, > id); > +if (id != seekheads[i].id || pos < matroska->segment_start) > +continue; > + > +elem = matroska_find_level1_elem(matroska, id); > if (!elem || elem->parsed) > continue; > Will apply this patchset tomorrow if there are no objections. - Andreas ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 1/3] avformat/matroskadec: Sanitize SeekHead entries
A Seek element in a Matroska SeekHead should contain a SeekID and a SeekPosition element and upon reading, they should be sanitized: Given that IDs are restricted to 32 bit, longer SeekIDs should be treated as invalid. Instead currently the lower 32 bits have been used. For SeekPosition, no checks were performed for the element to be present and if present, whether it was excessively large (i.e. the absolute file position described by it exceeding INT64_MAX). The SeekPosition element had a default value of -1 which means that a check seems to have been intended; but it was not implemented. This commit adds a check for overflow to the calculation of the absolute file position of the referenced level 1 elements. Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that a Seek element without SeekPosition will run afoul of this check. Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8e1326abf6..dea8f14f9e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1865,8 +1865,12 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) MatroskaSeekhead *seekheads = seekhead_list->elem; uint32_t id = seekheads[i].id; int64_t pos = seekheads[i].pos + matroska->segment_start; +MatroskaLevel1Element *elem; -MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, id); +if (id != seekheads[i].id || pos < matroska->segment_start) +continue; + +elem = matroska_find_level1_elem(matroska, id); if (!elem || elem->parsed) continue; -- 2.20.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
