[FFmpeg-devel] [PATCH 5/5] avformat/vividas: Test size and packet numbers a bit more

Michael Niedermayer michael at niedermayer.cc
Wed Sep 4 19:04:58 EEST 2019


Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavformat/vividas.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/libavformat/vividas.c b/libavformat/vividas.c
index 7ccec85761..62d714dd2b 100644
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -427,6 +427,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
     int maxnp=0;
     AVIOContext *pb;
     int i;
+    int64_t filesize = avio_size(s->pb);
 
     pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL);
     if (!pb)
@@ -435,11 +436,8 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
     ffio_read_varlen(pb); // track_index_len
     avio_r8(pb); // 'c'
     viv->n_sb_blocks = ffio_read_varlen(pb);
-    if (viv->n_sb_blocks * 2 > size) {
-        viv->n_sb_blocks = 0;
-        av_free(pb);
-        return AVERROR_INVALIDDATA;
-    }
+    if (viv->n_sb_blocks * 2 > size)
+        goto error;
     viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block));
     if (!viv->sb_blocks) {
         viv->n_sb_blocks = 0;
@@ -451,24 +449,37 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
     poff = 0;
 
     for (i = 0; i < viv->n_sb_blocks; i++) {
+        uint64_t size_tmp      = ffio_read_varlen(pb);
+        uint64_t n_packets_tmp = ffio_read_varlen(pb);
+
+        if (size_tmp > INT_MAX || n_packets_tmp > INT_MAX)
+            goto error;
+
         viv->sb_blocks[i].byte_offset = off;
         viv->sb_blocks[i].packet_offset = poff;
 
-        viv->sb_blocks[i].size = ffio_read_varlen(pb);
-        viv->sb_blocks[i].n_packets = ffio_read_varlen(pb);
+        viv->sb_blocks[i].size = size_tmp;
+        viv->sb_blocks[i].n_packets = n_packets_tmp;
 
         off += viv->sb_blocks[i].size;
         poff += viv->sb_blocks[i].n_packets;
 
-
         if (maxnp < viv->sb_blocks[i].n_packets)
             maxnp = viv->sb_blocks[i].n_packets;
     }
 
+    if (filesize > 0 && poff > filesize)
+        goto error;
+
     viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry));
     av_free(pb);
 
     return 0;
+error:
+    av_free(pb);
+    viv->n_sb_blocks = 0;
+    av_freep(&viv->sb_blocks);
+    return AVERROR_INVALIDDATA;
 }
 
 static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size)
-- 
2.23.0



More information about the ffmpeg-devel mailing list