[FFmpeg-devel] [PATCH] lavf/mov.c: Fix parsing of edit list atoms with invalid elst entry count.

Sasi Inguva isasi at google.com
Tue Oct 24 02:24:51 EEST 2017 

On Fri, Oct 20, 2017 at 4:26 PM, Michael Niedermayer <michael at niedermayer.cc
> wrote:

> On Wed, Oct 18, 2017 at 08:12:50PM -0700, Sasi Inguva wrote:
> > Signed-off-by: Sasi Inguva <isasi at google.com>
> > ---
> >  libavformat/mov.c                           | 16 +++++++-
> >  tests/fate/mov.mak                          |  6 ++-
> >  tests/ref/fate/mov-invalid-elst-entry-count | 57
> +++++++++++++++++++++++++++++
> >  3 files changed, 76 insertions(+), 3 deletions(-)
> >  create mode 100644 tests/ref/fate/mov-invalid-elst-entry-count
> >
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index b22a116140..8d2602c739 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -4596,7 +4596,7 @@ free_and_return:
> >  static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >  {
> >      MOVStreamContext *sc;
> > -    int i, edit_count, version;
> > +    int i, edit_count, version, elst_entry_size;
> >
> >      if (c->fc->nb_streams < 1 || c->ignore_editlist)
> >          return 0;
> > @@ -4605,6 +4605,15 @@ static int mov_read_elst(MOVContext *c,
> AVIOContext *pb, MOVAtom atom)
> >      version = avio_r8(pb); /* version */
> >      avio_rb24(pb); /* flags */
> >      edit_count = avio_rb32(pb); /* entries */
>
> > +    atom.size -= 8;
>
> > +
> > +    elst_entry_size = version == 1 ? 20 :  12;
> > +    if (atom.size != edit_count * elst_entry_size &&
>
> the edit_count * elst_entry_size can overflow
>
> Thanks. Changed elst_entry_size to int64

>
> > +        c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) {
> > +        av_log(c->fc, AV_LOG_ERROR, "Invalid edit list entry_count: %d
> for elst atom of size: %"PRId64" bytes.\n",
> > +               edit_count, atom.size + 8);
> > +        return AVERROR_INVALIDDATA;
> > +    }
> >
> >      if (!edit_count)
> >          return 0;
> > @@ -4617,17 +4626,20 @@ static int mov_read_elst(MOVContext *c,
> AVIOContext *pb, MOVAtom atom)
> >          return AVERROR(ENOMEM);
> >
> >      av_log(c->fc, AV_LOG_TRACE, "track[%u].edit_count = %i\n",
> c->fc->nb_streams - 1, edit_count);
> > -    for (i = 0; i < edit_count && !pb->eof_reached; i++) {
> > +    for (i = 0; i < edit_count && atom.size > 0 && !pb->eof_reached;
> i++) {
> >          MOVElst *e = &sc->elst_data[i];
>
> isnt atom.size < 0 an error condition ?
> this could would not error out in that case
> is that intended ?
>
> we are comparing that atom.size is exactly equal to edit_count *
elst_entry_size . The for loop will decrease elst_entry_size bytes from
atom.size in each iteration, so it can only be < 0 iff  it wasn't exactly
equal to edit_count * elst_entry_size .


> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Complexity theory is the science of finding the exact solution to an
> approximation. Benchmarking OTOH is finding an approximation of the exact
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>

More information about the ffmpeg-devel mailing list