[FFmpeg-devel] [PATCH] libavformat/flacenc: reject too big picture blocks

Mattias Wadman mattias.wadman at gmail.com
Sun Oct 27 23:06:11 EET 2019


Think i messed up the formatting of the in-line patch somehow. Ill send the
patch as an attachment instead. Hope reply and attach is ok?

On Sun, Oct 27, 2019 at 8:22 PM Mattias Wadman <mattias.wadman at gmail.com>
wrote:

> A too big picture will case the muxer to write a truncated block size
> (uint24)
> causing the output file to be corrupt.
>
> How to reproduce:
>
> Write a file with truncated block size:
> ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0
> -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac
>
> Try to decode:
> ffmpeg -i test.flac test.wav
>
> Signed-off-by: Mattias Wadman <mattias.wadman at gmail.com>
> ---
>  libavformat/flacenc.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git libavformat/flacenc.c libavformat/flacenc.c
> index 93cc79bbe0..957bcb1123 100644
> --- libavformat/flacenc.c
> +++ libavformat/flacenc.c
> @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s,
> AVPacket *pkt)
>      AVDictionaryEntry *e;
>      const char *mimetype = NULL, *desc = "";
>      const AVStream *st = s->streams[pkt->stream_index];
> -    int i, mimelen, desclen, type = 0;
> +    int i, mimelen, desclen, type = 0, blocklen = 0;
>
>      if (!pkt->data)
>          return 0;
> @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext
> *s, AVPacket *pkt)
>          desc = e->value;
>      desclen = strlen(desc);
>
> +    blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 +
> pkt->size;
> +    if (blocklen >= 1<<24) {
> +         av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n",
> blocklen, 1<<24);
> +        return AVERROR(EINVAL);
> +    }
> +
>      avio_w8(pb, 0x06);
> -    avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 +
> pkt->size);
> +    avio_wb24(pb, blocklen);
>
>      avio_wb32(pb, type);
>
> --
> 2.22.0
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-libavformat-flacenc-reject-too-large-picture-blocks.patch
Type: application/octet-stream
Size: 1807 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191027/48a642e1/attachment.obj>


More information about the ffmpeg-devel mailing list