[FFmpeg-devel] [PATCH v5 03/10] libavformat/asfdec: fix type of value_len

softworkz ffmpegagent at gmail.com
Sat May 21 08:21:33 EEST 2022 

From: softworkz <softworkz at hotmail.com>

The value_len is an uint32 not an int32 per spec. That
value must not be truncated, neither by casting to int, nor by any
conditional checks, because at the end of get_tag, this value is
needed to move forward in parsing. When the len value gets
modified, the parsing may break.

Signed-off-by: softworkz <softworkz at hotmail.com>
---
 libavformat/asfdec_f.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index c7c4ba55d6..eda7175c96 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -219,7 +219,7 @@ static uint64_t get_value(AVIOContext *pb, int type, int type2_size)
     }
 }
 
-static void get_tag(AVFormatContext *s, const char *key, int type, int len, int type2_size)
+static void get_tag(AVFormatContext *s, const char *key, int type, uint32_t len, int type2_size)
 {
     ASFContext *asf = s->priv_data;
     char *value = NULL;
@@ -529,7 +529,7 @@ static int asf_read_ext_stream_properties(AVFormatContext *s)
 static int asf_read_content_desc(AVFormatContext *s)
 {
     AVIOContext *pb = s->pb;
-    int len1, len2, len3, len4, len5;
+    uint32_t len1, len2, len3, len4, len5;
 
     len1 = avio_rl16(pb);
     len2 = avio_rl16(pb);
@@ -620,25 +620,23 @@ static int asf_read_metadata(AVFormatContext *s)
     ASFContext *asf = s->priv_data;
     uint64_t dar_num[128] = {0};
     uint64_t dar_den[128] = {0};
-    int n, stream_num, name_len_utf16, name_len_utf8, value_len;
+    int n, name_len_utf8;
+    uint16_t stream_num, name_len_utf16, value_type;
+    uint32_t value_len;
     int ret, i;
     n = avio_rl16(pb);
 
     for (i = 0; i < n; i++) {
         uint8_t *name;
-        int value_type;
 
         avio_rl16(pb);  // lang_list_index
-        stream_num = avio_rl16(pb);
-        name_len_utf16 = avio_rl16(pb);
-        value_type = avio_rl16(pb); /* value_type */
-        value_len  = avio_rl32(pb);
+        stream_num     = (uint16_t)avio_rl16(pb);
+        name_len_utf16 = (uint16_t)avio_rl16(pb);
+        value_type     = (uint16_t)avio_rl16(pb); /* value_type */
+        value_len      = avio_rl32(pb);
 
-        if (value_len < 0 || value_len > UINT16_MAX)
-            return AVERROR_INVALIDDATA;
-
-        name_len_utf8 = 2*name_len_utf16 + 1;
-        name          = av_malloc(name_len_utf8);
+        name_len_utf8  = 2 * name_len_utf16 + 1;
+        name           = av_malloc(name_len_utf8);
         if (!name)
             return AVERROR(ENOMEM);
 
-- 
ffmpeg-codebot

More information about the ffmpeg-devel mailing list