[FFmpeg-devel] [PATCH 1/5] avformat/mxfdec: fix klv_decode_ber_length return value usage
Tomas Härdin
tjoppen at acc.umu.se
Mon May 28 00:20:20 EEST 2018
sön 2018-05-27 klockan 21:21 +0200 skrev Marton Balint:
> > Signed-off-by: Marton Balint <cus at passwd.hu>
> ---
> libavformat/mxfdec.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 7a42555562..40c9e0c3a9 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -372,6 +372,8 @@ static int64_t klv_decode_ber_length(AVIOContext *pb)
> while (bytes_num--)
> size = size << 8 | avio_r8(pb);
> }
> + if (size > INT64_MAX)
> + return AVERROR_INVALIDDATA;
> return size;
> }
>
> @@ -390,13 +392,17 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size)
>
> static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
> {
> + int64_t length;
> if (!mxf_read_sync(pb, mxf_klv_key, 4))
> return AVERROR_INVALIDDATA;
> klv->offset = avio_tell(pb) - 4;
> memcpy(klv->key, mxf_klv_key, 4);
> avio_read(pb, klv->key + 4, 12);
> - klv->length = klv_decode_ber_length(pb);
> - return klv->length == -1 ? -1 : 0;
> + length = klv_decode_ber_length(pb);
> + if (length < 0)
> + return length;
> + klv->length = length;
> + return 0;
> }
This feels like the kind of thing that should have been caught ages
ago. Are there any other -1's like this hiding in mxfdec? I took a
quick look but didn't find much
/Tomas
More information about the ffmpeg-devel
mailing list