[FFmpeg-devel] [PATCH] ffmdec: sanitize codec parameters

Michael Niedermayer michael at niedermayer.cc
Fri Nov 18 03:40:57 EET 2016


On Thu, Nov 17, 2016 at 07:35:01PM +0100, Andreas Cadhalpun wrote:
> On 17.11.2016 02:26, Michael Niedermayer wrote:
> > On Thu, Nov 17, 2016 at 01:08:31AM +0100, Andreas Cadhalpun wrote:
> >> +    SANITIZE_PARAMETER(pix_fmt,                "pixel format",                    codec->pix_fmt < AV_PIX_FMT_NONE || codec->pix_fmt > AV_PIX_FMT_NB,             AV_PIX_FMT_NONE)
> >> +    SANITIZE_PARAMETER(bits_per_coded_sample,  "bits per coded sample",           codec->bits_per_coded_sample < 0,                                               0)
> >> +    SANITIZE_PARAMETER(bits_per_raw_sample,    "bits per raw sample",             codec->bits_per_raw_sample < 0,                                                 0)
> >> +    SANITIZE_PARAMETER(extradata_size,         "extradata size",                  codec->extradata_size < 0 || codec->extradata_size >= FF_MAX_EXTRADATA_SIZE,    0)
> >> +    SANITIZE_PARAMETER(color_range,            "color range",                     (unsigned)codec->color_range > AVCOL_RANGE_NB,                                  AVCOL_RANGE_UNSPECIFIED)
> >> +    SANITIZE_PARAMETER(color_primaries,        "color primaries",                 (unsigned)codec->color_primaries > AVCOL_PRI_NB,                                AVCOL_PRI_UNSPECIFIED)
> >> +    SANITIZE_PARAMETER(color_trc,              "color transfer characteristics ", (unsigned)codec->color_trc > AVCOL_TRC_NB,                                      AVCOL_TRC_UNSPECIFIED)
> >> +    SANITIZE_PARAMETER(colorspace,             "color space",                     (unsigned)codec->colorspace > AVCOL_SPC_NB,                                     AVCOL_SPC_UNSPECIFIED)
> >> +    SANITIZE_PARAMETER(chroma_sample_location, "chroma location",                 (unsigned)codec->chroma_sample_location > AVCHROMA_LOC_NB,                      AVCHROMA_LOC_UNSPECIFIED)
> >> +    SANITIZE_PARAMETER(has_b_frames,           "video delay",                     codec->has_b_frames < 0,                                                        0)
> >> +    SANITIZE_PARAMETER(sample_fmt,             "sample format",                   codec->sample_fmt < AV_SAMPLE_FMT_NONE || codec->sample_fmt > AV_SAMPLE_FMT_NB, AV_SAMPLE_FMT_NONE)
> > 
> > This breaks API/ABI
> 
> You mean this uses private API/ABI.
> 
> > for example AVCOL_SPC_NB is not part of the public API of libavutil
> 
> But it's already used in e.g. libavcodec/options_table.h -- which reminds
> me that this is a much better place to sanitize options.
> I'll send a separate patch doing that. Attached is an updated version
> of this patch.
> 
> > one should be able to use av_color_space_name() to detect invalid color
> > spaces
> 
> Indeed, that would have worked, too.
> 
> Best regards,
> Andreas
> 

>  ffmdec.c |  105 +++++++++++++++++++++++++++++++++++++--------------------------
>  1 file changed, 62 insertions(+), 43 deletions(-)
> 72925e00379c208f03b9fc3fcd82d0615fc5904d  0001-ffmdec-sanitize-codec-parameters.patch
> From 9bc15dfba44533c9e0f2cc54eec519b359f7f0c5 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> Date: Thu, 17 Nov 2016 00:04:57 +0100
> Subject: [PATCH] ffmdec: sanitize codec parameters
> 
> A negative extradata size for example gets passed to memcpy in
> avcodec_parameters_from_context causing a segmentation fault.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavformat/ffmdec.c | 105 ++++++++++++++++++++++++++++++---------------------
>  1 file changed, 62 insertions(+), 43 deletions(-)
> 
> diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
> index 6b09be2..d5e10b0 100644
> --- a/libavformat/ffmdec.c
> +++ b/libavformat/ffmdec.c
> @@ -21,6 +21,7 @@
>  
>  #include <stdint.h>
>  
> +#include "libavutil/imgutils.h"
>  #include "libavutil/internal.h"
>  #include "libavutil/intreadwrite.h"
>  #include "libavutil/intfloat.h"
> @@ -28,6 +29,7 @@
>  #include "libavutil/avassert.h"
>  #include "libavutil/avstring.h"
>  #include "libavutil/pixdesc.h"
> +#include "libavcodec/internal.h"
>  #include "avformat.h"
>  #include "internal.h"
>  #include "ffm.h"
> @@ -277,6 +279,13 @@ static int ffm_append_recommended_configuration(AVStream *st, char **conf)
>      return 0;
>  }
>  
> +#define SANITIZE_PARAMETER(parameter, name, check, default) {                     \
> +    if (check) {                                                                  \
> +        av_log(codec, AV_LOG_WARNING, "Invalid " name " %d\n", codec->parameter); \
> +        codec->parameter = default;                                               \
> +    }                                                                             \
> +}
> +
>  static int ffm2_read_header(AVFormatContext *s)
>  {
>      FFMContext *ffm = s->priv_data;
> @@ -346,23 +355,29 @@ static int ffm2_read_header(AVFormatContext *s)
>              }
>              codec->codec_type = avio_r8(pb);
>              if (codec->codec_type != codec_desc->type) {
> -                av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n",
> +                av_log(s, AV_LOG_WARNING, "Codec type mismatch: expected %d, found %d\n",
>                         codec_desc->type, codec->codec_type);
> -                codec->codec_id = AV_CODEC_ID_NONE;
> -                codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
> -                goto fail;
> +                codec->codec_type = codec_desc->type;
>              }
>              codec->bit_rate = avio_rb32(pb);
> +            if (codec->bit_rate < 0) {
> +                av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", codec->bit_rate);
> +                codec->bit_rate = 0;
> +            }
>              codec->flags = avio_rb32(pb);
>              codec->flags2 = avio_rb32(pb);
>              codec->debug = avio_rb32(pb);
>              if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
>                  int size = avio_rb32(pb);
> -                codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
> -                if (!codec->extradata)
> -                    return AVERROR(ENOMEM);
> -                codec->extradata_size = size;
> -                avio_read(pb, codec->extradata, size);
> +                if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) {
> +                    av_log(s, AV_LOG_WARNING, "Invalid extradata size %d\n", size);

i think this and possibly others should be a hard failure
or why would a invalid extradata_size be ok ?

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161118/75d6159d/attachment.sig>


More information about the ffmpeg-devel mailing list