[FFmpeg-devel] [PATCH] avcodec/avcodec: Limit the number of side data elements per packet

wm4 nfxjfg at googlemail.com
Thu May 11 19:54:16 EEST 2017 

On Thu, 11 May 2017 13:01:36 +0200
Michael Niedermayer <michael at niedermayer.cc> wrote:

> Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/avcodec.h  | 8 ++++++++
>  libavcodec/avpacket.c | 5 ++++-
>  2 files changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h
> index df6d2bc748..173c083a86 100644
> --- a/libavcodec/avcodec.h
> +++ b/libavcodec/avcodec.h
> @@ -1593,6 +1593,14 @@ enum AVPacketSideDataType {
>       * AVContentLightMetadata struct.
>       */
>      AV_PKT_DATA_CONTENT_LIGHT_LEVEL,
> +
> +    /**
> +     * The number of side data elements (in fact a bit more than it).
> +     * This is not part of the public API/ABI in the sense that it may
> +     * change when new side data types are added.
> +     * This must stay the last enum value.
> +     */
> +    AV_PKT_DATA_NB,
>  };

OK I guess.

>  #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED
> diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
> index 369dd78208..200ba99f34 100644
> --- a/libavcodec/avpacket.c
> +++ b/libavcodec/avpacket.c
> @@ -298,7 +298,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
>      AVPacketSideData *tmp;
>      int elems = pkt->side_data_elems;
>  
> -    if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
> +    if ((unsigned)elems + 1 > FFMIN(INT_MAX / sizeof(*pkt->side_data), AV_PKT_DATA_NB))

Does the FFMIN and the old expression on the right side still have any
function?

>          return AVERROR(ERANGE);
>  
>      tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
> @@ -437,6 +437,9 @@ int av_packet_split_side_data(AVPacket *pkt){
>              p-= size+5;
>          }
>  
> +        if (i > AV_PKT_DATA_NB)
> +            return AVERROR(ERANGE);
> +
>          pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data));
>          if (!pkt->side_data)
>              return AVERROR(ENOMEM);

More information about the ffmpeg-devel mailing list