Re: [libav-devel] [PATCH] avformat/mpegtsenc: Check data array size in mpegts_write_pmt()

Fri, 01 Aug 2014 04:58:29 -0700 

On 01/08/14 13:41, [email protected] wrote:
> From: Michael Niedermayer <[email protected]>
> 
> Prevents out of array writes
> Addresses: CVE-2014-2263
> ---
>  libavformat/mpegtsenc.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)

This is an encoder, it means that the data buffer is smaller than you'd
expect.

1012 is a random number or there is a specification mandating that?

> diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
> index 838702e..de27d70 100644
> --- a/libavformat/mpegtsenc.c
> +++ b/libavformat/mpegtsenc.c
> @@ -214,7 +214,7 @@ static void mpegts_write_pat(AVFormatContext *s)
>                            data, q - data);
>  }
>  
> -static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
> +static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
>  {
>      MpegTSWrite *ts = s->priv_data;
>      uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
                    ^^^^
Random magic number


> @@ -270,6 +270,10 @@ static void mpegts_write_pmt(AVFormatContext *s, 
> MpegTSService *service)
>              stream_type = STREAM_TYPE_PRIVATE_DATA;
>              break;
>          }
> +
> +        if (q - data > sizeof(data) - 32)
> +            return AVERROR(EINVAL);
> +
>          *q++ = stream_type;
>          put16(&q, 0xe000 | ts_st->pid);
>          desc_length_ptr = q;
> @@ -287,7 +291,7 @@ static void mpegts_write_pmt(AVFormatContext *s, 
> MpegTSService *service)
>                  len_ptr = q++;
>                  *len_ptr = 0;
>  
> -                for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = 
> next + 1) {
> +                for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - 
> data < sizeof(data) - 4; p = next + 1) {
>                      next = strchr(p, ',');
>                      if (strlen(p) != 3 && (!next || next != p + 3))
>                          continue; /* not a 3-letter code */
> @@ -349,6 +353,7 @@ static void mpegts_write_pmt(AVFormatContext *s, 
> MpegTSService *service)
>      }
>      mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
>                            data, q - data);
> +    return 0;
>  }

The return value isn't propagated.

lu
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to