ffmpeg | branch: master | Clément Bœsch <clem...@stupeflix.com> | Tue Jun 21 14:37:55 2016 +0200| [82439dec0fbf8a31159327ddf57096a0013109b9] | committer: Clément Bœsch
Merge commit '74d98d1b0e0e7af444c933ea3c472494de3ce6f2' * commit '74d98d1b0e0e7af444c933ea3c472494de3ce6f2': mpegts: Validate the SL Packet Header Configuration See e630ca5111077fa8adc972fe8a3d7e2b3e8dc91f Our local timestamp_len > 64 is adjusted to > 63 to match the Libav check and the actual specifications (14496-1, 10.2.2). There is no need to request a sample as it violates the specifications and such a file would likely be the result of a crafted/fuzzed sample. On the other hand, the clipping of the value is kept for extra safety. Merged-by: Clément Bœsch <clem...@stupeflix.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=82439dec0fbf8a31159327ddf57096a0013109b9 --- libavformat/mpegts.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 6acb797..379ffbd 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1406,6 +1406,14 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len) if (!descr) return AVERROR_INVALIDDATA; +#define R8_CHECK_CLIP_MAX(dst, maxv) do { \ + descr->sl.dst = avio_r8(&d->pb); \ + if (descr->sl.dst > maxv) { \ + descr->sl.dst = maxv; \ + return AVERROR_INVALIDDATA; \ + } \ +} while (0) + predefined = avio_r8(&d->pb); if (!predefined) { int lengths; @@ -1418,14 +1426,9 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len) descr->sl.use_idle = !!(flags & 0x02); descr->sl.timestamp_res = avio_rb32(&d->pb); avio_rb32(&d->pb); - descr->sl.timestamp_len = avio_r8(&d->pb); - if (descr->sl.timestamp_len > 64) { - avpriv_request_sample(NULL, "timestamp_len > 64"); - descr->sl.timestamp_len = 64; - return AVERROR_PATCHWELCOME; - } - descr->sl.ocr_len = avio_r8(&d->pb); - descr->sl.au_len = avio_r8(&d->pb); + R8_CHECK_CLIP_MAX(timestamp_len, 63); + R8_CHECK_CLIP_MAX(ocr_len, 63); + R8_CHECK_CLIP_MAX(au_len, 31); descr->sl.inst_bitrate_len = avio_r8(&d->pb); lengths = avio_rb16(&d->pb); descr->sl.degr_prior_len = lengths >> 12; ====================================================================== diff --cc libavformat/mpegts.c index 6acb797,740cc14..379ffbd --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@@ -1406,6 -1151,6 +1406,14 @@@ static int parse_MP4SLDescrTag(MP4Descr if (!descr) return AVERROR_INVALIDDATA; ++#define R8_CHECK_CLIP_MAX(dst, maxv) do { \ ++ descr->sl.dst = avio_r8(&d->pb); \ ++ if (descr->sl.dst > maxv) { \ ++ descr->sl.dst = maxv; \ ++ return AVERROR_INVALIDDATA; \ ++ } \ ++} while (0) ++ predefined = avio_r8(&d->pb); if (!predefined) { int lengths; @@@ -1418,14 -1163,9 +1426,9 @@@ descr->sl.use_idle = !!(flags & 0x02); descr->sl.timestamp_res = avio_rb32(&d->pb); avio_rb32(&d->pb); -- descr->sl.timestamp_len = avio_r8(&d->pb); - if (descr->sl.timestamp_len > 64) { - avpriv_request_sample(NULL, "timestamp_len > 64"); - descr->sl.timestamp_len = 64; - return AVERROR_PATCHWELCOME; - } -- descr->sl.ocr_len = avio_r8(&d->pb); -- descr->sl.au_len = avio_r8(&d->pb); ++ R8_CHECK_CLIP_MAX(timestamp_len, 63); ++ R8_CHECK_CLIP_MAX(ocr_len, 63); ++ R8_CHECK_CLIP_MAX(au_len, 31); descr->sl.inst_bitrate_len = avio_r8(&d->pb); lengths = avio_rb16(&d->pb); descr->sl.degr_prior_len = lengths >> 12; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
