[FFmpeg-devel] [PATCH v2 01/11] libavformat/asf: fix handling of byte array length values
Michael Niedermayer
michael at niedermayer.cc
Sat May 7 21:48:33 EEST 2022
On Sat, May 07, 2022 at 09:36:34AM +0000, softworkz wrote:
> From: softworkz <softworkz at hotmail.com>
>
> The spec allows attachment sizes of up to UINT32_MAX while
> we can handle only sizes up to INT32_MAX (in downstream
> code)
>
> The debug.assert in get_tag didn't really address this,
> and truncating the value_len in calling methods cannot
> be used because the length value is required in order to
> continue parsing. This adds a check with log message in
> ff_asf_handle_byte_array to handle those (rare) cases.
>
> Signed-off-by: softworkz <softworkz at hotmail.com>
> ---
> libavformat/asf.c | 12 +++++++++---
> libavformat/asf.h | 2 +-
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/libavformat/asf.c b/libavformat/asf.c
> index 1ac8b5f078..179b66a2b4 100644
> --- a/libavformat/asf.c
> +++ b/libavformat/asf.c
> @@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
> }
>
> int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
> - int val_len)
> + uint32_t val_len)
> {
> + if (val_len > INT32_MAX) {
> + av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
> + return 1;
> + }
> +
> if (!strcmp(name, "WM/Picture")) // handle cover art
> - return asf_read_picture(s, val_len);
> + return asf_read_picture(s, (int)val_len);
> else if (!strcmp(name, "ID3")) // handle ID3 tag
> - return get_id3_tag(s, val_len);
> + return get_id3_tag(s, (int)val_len);
unneeded
>
> + av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
Probably this should be DEBUG
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220507/56e026d1/attachment.sig>
More information about the ffmpeg-devel
mailing list