[FFmpeg-cvslog] fftools/ffmpeg_opt: Check attachment filesize

Andreas Rheinhardt git at videolan.org
Thu Jul 2 03:33:46 EEST 2020

ffmpeg | branch: release/4.1 | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Wed Apr 15 20:54:42 2020 +0200| [259edd9293c382299ad04f6133a34f9844fa0f2f] | committer: Andreas Rheinhardt

fftools/ffmpeg_opt: Check attachment filesize

The data of an attachment file is put into an AVCodecParameter's
extradata. The corresponding size field has type int, yet there was no
check for the size to fit into an int. As a consequence, it was possible
to create extradata with negative size (by using a big enough max_alloc).

Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit
systems) then the file size might be truncated before the allocation;
and avio_read() takes an int, too, so one would not have read as much
as one desired.

Furthermore, the extradata is now padded as is required.

Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
(cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=259edd9293c382299ad04f6133a34f9844fa0f2f

 fftools/ffmpeg_opt.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c
index 1893234789..618f0f22cd 100644
--- a/fftools/ffmpeg_opt.c
+++ b/fftools/ffmpeg_opt.c
@@ -2333,12 +2333,14 @@ loop_end:
-        if (!(attachment = av_malloc(len))) {
-            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n",
+        if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE ||
+            !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) {
+            av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n",
         avio_read(pb, attachment, len);
+        memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
         ost = new_attachment_stream(o, oc, -1);
         ost->stream_copy               = 0;

More information about the ffmpeg-cvslog mailing list