[FFmpeg-devel] [PATCH v2] Fix sdp size check on fmtp integer parameters

Michael Niedermayer michael at niedermayer.cc
Thu Apr 18 13:04:16 EEST 2019 

On Mon, Apr 01, 2019 at 04:45:38PM +0200, Olivier Maignial wrote:
> RFC-4566 do not give any limit of size on interger parameters given in fmtp line.
> By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4)
> 
> Instead I propose to check just check the eventual integer overflow.
> Using INT_MIN and INT_MAX ensure that it will work whatever the size of int given by compiler
> 
> Signed-off-by: Olivier Maignial <olivier.maignial at smile.fr>
> ---
> 
> Changes v1 -> v2:
>     - Removed line break at end of 'if' line before brace
>     - Added Signed-Off-By line
> 
>  libavformat/rtpdec_mpeg4.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
> index 994ab49..14caa0a 100644
> --- a/libavformat/rtpdec_mpeg4.c
> +++ b/libavformat/rtpdec_mpeg4.c
> @@ -289,15 +289,23 @@ static int parse_fmtp(AVFormatContext *s,
>          for (i = 0; attr_names[i].str; ++i) {
>              if (!av_strcasecmp(attr, attr_names[i].str)) {
>                  if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
> -                    int val = atoi(value);
> -                    if (val > 32) {
> +                    char *end_ptr = NULL;
> +                    long int val = strtol(value, &end_ptr, 10);
> +                    if (value[0] == '\n' || end_ptr[0] != '\0') {
>                          av_log(s, AV_LOG_ERROR,
> -                               "The %s field size is invalid (%d)\n",
> +                               "The %s field value is not a number (%s)\n",
> +                               attr, value);
> +                        return AVERROR_INVALIDDATA;
> +                    }
> +
> +                    if (val > INT_MAX || val < INT_MIN) {

This test only works if LONG_MAX > INT_MAX otherwise it will not
detect out of range values

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190418/1dc3f48c/attachment.sig>

More information about the ffmpeg-devel mailing list