[FFmpeg-cvslog] lafv/wavdec: Fail bext parsing on incomplete reads

Matt Wolenetz git at videolan.org
Sun Aug 4 22:18:46 EEST 2019


ffmpeg | branch: release/4.2 | Matt Wolenetz <wolenetz at google.com> | Thu Jul 25 15:54:49 2019 -0700| [907027a4f26d6df9a773afd6d92dd88c51822906] | committer: Michael Niedermayer

lafv/wavdec: Fail bext parsing on incomplete reads

avio_read can successfully return even when less than the requested
amount of input was read. wavdec's bext parsing mistakenly assumed a
successful avio_read always read the full amount that was requested.
The result could be dictionary tags populated with partially
uninitialized values.

This change also fixes a broken assertion in wav_parse_bext_string that
was off-by-one, though no known current usage of that method hits that
broken case.

Chromium bug: 987270

Signed-off-by: Matt Wolenetz <wolenetz at chromium.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=907027a4f26d6df9a773afd6d92dd88c51822906
---

 libavformat/wavdec.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 1b131ee2c1..684efd97f9 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -233,9 +233,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key,
     char temp[257];
     int ret;
 
-    av_assert0(length <= sizeof(temp));
-    if ((ret = avio_read(s->pb, temp, length)) < 0)
-        return ret;
+    av_assert0(length < sizeof(temp));
+    if ((ret = avio_read(s->pb, temp, length)) != length)
+        return ret < 0 ? ret : AVERROR_INVALIDDATA;
 
     temp[length] = 0;
 
@@ -304,8 +304,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size)
         if (!(coding_history = av_malloc(size + 1)))
             return AVERROR(ENOMEM);
 
-        if ((ret = avio_read(s->pb, coding_history, size)) < 0)
-            return ret;
+        if ((ret = avio_read(s->pb, coding_history, size)) != size) {
+            av_free(coding_history);
+            return ret < 0 ? ret : AVERROR_INVALIDDATA;
+        }
 
         coding_history[size] = 0;
         if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history,



More information about the ffmpeg-cvslog mailing list