[FFmpeg-devel] [PATCH V3 1/2] lavf/vc1test: fix vc1test can't probe some RCV file.

Mon Oct 15 10:15:10 EEST 2018

> case 1:
> use the hexdump -C SMM0005.rcv get:
>                      size              skip (size - 4)
>                       |                        |
>                       V                        V
> 00000000  18 00 00 c5 05 00 00 00  4d f1 0a 11 00 e0 01 00
> 00000010  00 d0 02 00 00 0c 00 00  00 88 13 00 00 c0 65 52
>                          ^
> 			 |
> 		     size + 16
> case 2:
> same the command for SMM0015.rcv get:
>                     size
>                       |
>                       V
> 00000000  19 00 00 c5 04 00 00 00  41 f3 80 01 40 02 00 00
> 00000010  d0 02 00 00 0c 00 00 00  00 00 00 10 00 00 00 00
>                       ^
> 		      |
> 		   size + 16
>
> There are different the RCV file format for VC-1, vc1test
> just handle the case 2 now, this fix will support the case 1.
> (Both of test clips come from: SMPTE Recommended Practice -
> VC-1 Decoder and Bitstream Conformance). And I think I got
> a older VC-1 test clip in the case 1.
>
> Reviewed-by: Carl Eugen Hoyos <ceffmpeg at gmail.com>
> Reviewed-by: Jerome Borsboom <jerome.borsboom at carpalis.nl>
> Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
> Signed-off-by: Jun Zhao <jun.zhao at intel.com>
> Signed-off-by: Yan, FengX <fengx.yan at intel.com>
> ---
>  libavformat/vc1test.c |   11 +++++++++--
>  1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/vc1test.c b/libavformat/vc1test.c
> index a801f4b..e029ff4 100644
> --- a/libavformat/vc1test.c
> +++ b/libavformat/vc1test.c
> @@ -34,9 +34,13 @@
>
>  static int vc1t_probe(AVProbeData *p)
>  {
> +    int size;
> +
>      if (p->buf_size < 24)
>          return 0;
> -    if (p->buf[3] != 0xC5 || AV_RL32(&p->buf[4]) != 4 ||
AV_RL32(&p->buf[20]) != 0xC)
> +
> +    size = AV_RL32(&p->buf[4]);
> +    if (p->buf[3] != 0xC5 || size < 4 || AV_RL32(&p->buf[size+16]) !=
0xC)
>          return 0;
>
>      return AVPROBE_SCORE_EXTENSION;
> @@ -48,9 +52,10 @@ static int vc1t_read_header(AVFormatContext *s)
>      AVStream *st;
>      int frames;
>      uint32_t fps;
> +    int size;
>
>      frames = avio_rl24(pb);
> -    if(avio_r8(pb) != 0xC5 || avio_rl32(pb) != 4)
> +    if (avio_r8(pb) != 0xC5 || ((size = avio_rl32(pb)) < 4))
>          return AVERROR_INVALIDDATA;
>
>      /* init video codec */
> @@ -63,6 +68,8 @@ static int vc1t_read_header(AVFormatContext *s)
>
>      if (ff_get_extradata(s, st->codecpar, pb, VC1_EXTRADATA_SIZE) < 0)
>          return AVERROR(ENOMEM);
> +
> +    avio_skip(pb, size - 4);
>      st->codecpar->height = avio_rl32(pb);
>      st->codecpar->width = avio_rl32(pb);
>      if(avio_rl32(pb) != 0xC)
> --
> 1.7.1

You may still overread the buffer as the first check on buf_size only
checks for at least 24 bytes. The following p->buf[size+16] may read
beyond the end of the buffer.

Regards,
Jerome