[FFmpeg-cvslog] Merge commit '74d98d1b0e0e7af444c933ea3c472494de3ce6f2'
Clément Bœsch
git at videolan.org
Tue Jun 21 14:49:14 CEST 2016
ffmpeg | branch: master | Clément Bœsch <clement at stupeflix.com> | Tue Jun 21 14:37:55 2016 +0200| [82439dec0fbf8a31159327ddf57096a0013109b9] | committer: Clément Bœsch
Merge commit '74d98d1b0e0e7af444c933ea3c472494de3ce6f2'
* commit '74d98d1b0e0e7af444c933ea3c472494de3ce6f2':
mpegts: Validate the SL Packet Header Configuration
See e630ca5111077fa8adc972fe8a3d7e2b3e8dc91f
Our local timestamp_len > 64 is adjusted to > 63 to match the Libav
check and the actual specifications (14496-1, 10.2.2).
There is no need to request a sample as it violates the specifications
and such a file would likely be the result of a crafted/fuzzed sample.
On the other hand, the clipping of the value is kept for extra safety.
Merged-by: Clément Bœsch <clement at stupeflix.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=82439dec0fbf8a31159327ddf57096a0013109b9
---
libavformat/mpegts.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 6acb797..379ffbd 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1406,6 +1406,14 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len)
if (!descr)
return AVERROR_INVALIDDATA;
+#define R8_CHECK_CLIP_MAX(dst, maxv) do { \
+ descr->sl.dst = avio_r8(&d->pb); \
+ if (descr->sl.dst > maxv) { \
+ descr->sl.dst = maxv; \
+ return AVERROR_INVALIDDATA; \
+ } \
+} while (0)
+
predefined = avio_r8(&d->pb);
if (!predefined) {
int lengths;
@@ -1418,14 +1426,9 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len)
descr->sl.use_idle = !!(flags & 0x02);
descr->sl.timestamp_res = avio_rb32(&d->pb);
avio_rb32(&d->pb);
- descr->sl.timestamp_len = avio_r8(&d->pb);
- if (descr->sl.timestamp_len > 64) {
- avpriv_request_sample(NULL, "timestamp_len > 64");
- descr->sl.timestamp_len = 64;
- return AVERROR_PATCHWELCOME;
- }
- descr->sl.ocr_len = avio_r8(&d->pb);
- descr->sl.au_len = avio_r8(&d->pb);
+ R8_CHECK_CLIP_MAX(timestamp_len, 63);
+ R8_CHECK_CLIP_MAX(ocr_len, 63);
+ R8_CHECK_CLIP_MAX(au_len, 31);
descr->sl.inst_bitrate_len = avio_r8(&d->pb);
lengths = avio_rb16(&d->pb);
descr->sl.degr_prior_len = lengths >> 12;
======================================================================
diff --cc libavformat/mpegts.c
index 6acb797,740cc14..379ffbd
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@@ -1406,6 -1151,6 +1406,14 @@@ static int parse_MP4SLDescrTag(MP4Descr
if (!descr)
return AVERROR_INVALIDDATA;
++#define R8_CHECK_CLIP_MAX(dst, maxv) do { \
++ descr->sl.dst = avio_r8(&d->pb); \
++ if (descr->sl.dst > maxv) { \
++ descr->sl.dst = maxv; \
++ return AVERROR_INVALIDDATA; \
++ } \
++} while (0)
++
predefined = avio_r8(&d->pb);
if (!predefined) {
int lengths;
@@@ -1418,14 -1163,9 +1426,9 @@@
descr->sl.use_idle = !!(flags & 0x02);
descr->sl.timestamp_res = avio_rb32(&d->pb);
avio_rb32(&d->pb);
-- descr->sl.timestamp_len = avio_r8(&d->pb);
- if (descr->sl.timestamp_len > 64) {
- avpriv_request_sample(NULL, "timestamp_len > 64");
- descr->sl.timestamp_len = 64;
- return AVERROR_PATCHWELCOME;
- }
-- descr->sl.ocr_len = avio_r8(&d->pb);
-- descr->sl.au_len = avio_r8(&d->pb);
++ R8_CHECK_CLIP_MAX(timestamp_len, 63);
++ R8_CHECK_CLIP_MAX(ocr_len, 63);
++ R8_CHECK_CLIP_MAX(au_len, 31);
descr->sl.inst_bitrate_len = avio_r8(&d->pb);
lengths = avio_rb16(&d->pb);
descr->sl.degr_prior_len = lengths >> 12;
More information about the ffmpeg-cvslog
mailing list