On Thu, Nov 17, 2016 at 07:35:01PM +0100, Andreas Cadhalpun wrote: > On 17.11.2016 02:26, Michael Niedermayer wrote: > > On Thu, Nov 17, 2016 at 01:08:31AM +0100, Andreas Cadhalpun wrote: > >> + SANITIZE_PARAMETER(pix_fmt, "pixel format", > >> codec->pix_fmt < AV_PIX_FMT_NONE || codec->pix_fmt > > >> AV_PIX_FMT_NB, AV_PIX_FMT_NONE) > >> + SANITIZE_PARAMETER(bits_per_coded_sample, "bits per coded sample", > >> codec->bits_per_coded_sample < 0, > >> 0) > >> + SANITIZE_PARAMETER(bits_per_raw_sample, "bits per raw sample", > >> codec->bits_per_raw_sample < 0, > >> 0) > >> + SANITIZE_PARAMETER(extradata_size, "extradata size", > >> codec->extradata_size < 0 || codec->extradata_size >= > >> FF_MAX_EXTRADATA_SIZE, 0) > >> + SANITIZE_PARAMETER(color_range, "color range", > >> (unsigned)codec->color_range > AVCOL_RANGE_NB, > >> AVCOL_RANGE_UNSPECIFIED) > >> + SANITIZE_PARAMETER(color_primaries, "color primaries", > >> (unsigned)codec->color_primaries > AVCOL_PRI_NB, > >> AVCOL_PRI_UNSPECIFIED) > >> + SANITIZE_PARAMETER(color_trc, "color transfer > >> characteristics ", (unsigned)codec->color_trc > AVCOL_TRC_NB, > >> AVCOL_TRC_UNSPECIFIED) > >> + SANITIZE_PARAMETER(colorspace, "color space", > >> (unsigned)codec->colorspace > AVCOL_SPC_NB, > >> AVCOL_SPC_UNSPECIFIED) > >> + SANITIZE_PARAMETER(chroma_sample_location, "chroma location", > >> (unsigned)codec->chroma_sample_location > AVCHROMA_LOC_NB, > >> AVCHROMA_LOC_UNSPECIFIED) > >> + SANITIZE_PARAMETER(has_b_frames, "video delay", > >> codec->has_b_frames < 0, > >> 0) > >> + SANITIZE_PARAMETER(sample_fmt, "sample format", > >> codec->sample_fmt < AV_SAMPLE_FMT_NONE || codec->sample_fmt > > >> AV_SAMPLE_FMT_NB, AV_SAMPLE_FMT_NONE) > > > > This breaks API/ABI > > You mean this uses private API/ABI. > > > for example AVCOL_SPC_NB is not part of the public API of libavutil > > But it's already used in e.g. libavcodec/options_table.h -- which reminds > me that this is a much better place to sanitize options. > I'll send a separate patch doing that. Attached is an updated version > of this patch. > > > one should be able to use av_color_space_name() to detect invalid color > > spaces > > Indeed, that would have worked, too. > > Best regards, > Andreas >
> ffmdec.c | 105
> +++++++++++++++++++++++++++++++++++++--------------------------
> 1 file changed, 62 insertions(+), 43 deletions(-)
> 72925e00379c208f03b9fc3fcd82d0615fc5904d
> 0001-ffmdec-sanitize-codec-parameters.patch
> From 9bc15dfba44533c9e0f2cc54eec519b359f7f0c5 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> Date: Thu, 17 Nov 2016 00:04:57 +0100
> Subject: [PATCH] ffmdec: sanitize codec parameters
>
> A negative extradata size for example gets passed to memcpy in
> avcodec_parameters_from_context causing a segmentation fault.
>
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
> libavformat/ffmdec.c | 105
> ++++++++++++++++++++++++++++++---------------------
> 1 file changed, 62 insertions(+), 43 deletions(-)
>
> diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
> index 6b09be2..d5e10b0 100644
> --- a/libavformat/ffmdec.c
> +++ b/libavformat/ffmdec.c
> @@ -21,6 +21,7 @@
>
> #include <stdint.h>
>
> +#include "libavutil/imgutils.h"
> #include "libavutil/internal.h"
> #include "libavutil/intreadwrite.h"
> #include "libavutil/intfloat.h"
> @@ -28,6 +29,7 @@
> #include "libavutil/avassert.h"
> #include "libavutil/avstring.h"
> #include "libavutil/pixdesc.h"
> +#include "libavcodec/internal.h"
> #include "avformat.h"
> #include "internal.h"
> #include "ffm.h"
> @@ -277,6 +279,13 @@ static int ffm_append_recommended_configuration(AVStream
> *st, char **conf)
> return 0;
> }
>
> +#define SANITIZE_PARAMETER(parameter, name, check, default) {
> \
> + if (check) {
> \
> + av_log(codec, AV_LOG_WARNING, "Invalid " name " %d\n",
> codec->parameter); \
> + codec->parameter = default;
> \
> + }
> \
> +}
> +
> static int ffm2_read_header(AVFormatContext *s)
> {
> FFMContext *ffm = s->priv_data;
> @@ -346,23 +355,29 @@ static int ffm2_read_header(AVFormatContext *s)
> }
> codec->codec_type = avio_r8(pb);
> if (codec->codec_type != codec_desc->type) {
> - av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d,
> found %d\n",
> + av_log(s, AV_LOG_WARNING, "Codec type mismatch: expected %d,
> found %d\n",
> codec_desc->type, codec->codec_type);
> - codec->codec_id = AV_CODEC_ID_NONE;
> - codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
> - goto fail;
> + codec->codec_type = codec_desc->type;
> }
> codec->bit_rate = avio_rb32(pb);
> + if (codec->bit_rate < 0) {
> + av_log(codec, AV_LOG_WARNING, "Invalid bit rate
> %"PRId64"\n", codec->bit_rate);
> + codec->bit_rate = 0;
> + }
> codec->flags = avio_rb32(pb);
> codec->flags2 = avio_rb32(pb);
> codec->debug = avio_rb32(pb);
> if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
> int size = avio_rb32(pb);
> - codec->extradata = av_mallocz(size +
> AV_INPUT_BUFFER_PADDING_SIZE);
> - if (!codec->extradata)
> - return AVERROR(ENOMEM);
> - codec->extradata_size = size;
> - avio_read(pb, codec->extradata, size);
> + if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) {
> + av_log(s, AV_LOG_WARNING, "Invalid extradata size %d\n",
> size);
i think this and possibly others should be a hard failure
or why would a invalid extradata_size be ok ?
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
