[FFmpeg-cvslog] lavf/matroskaenc: fix avio_printf argument types after bump

Anton Khirnov git at videolan.org
Thu Apr 8 12:04:17 EEST 2021


ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Sun Apr  4 10:41:59 2021 +0200| [2822bfbbfbc7a0013849758cc557226d48956424] | committer: Anton Khirnov

lavf/matroskaenc: fix avio_printf argument types after bump

Field precision supplied with the '*' specification must be an int.

Also, make sure converting those fields to int does not overflow.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2822bfbbfbc7a0013849758cc557226d48956424
---

 libavformat/matroskaenc.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index bbf231f2a4..609a588f78 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -2143,7 +2143,7 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
     mkv_track *track = &mkv->tracks[pkt->stream_index];
     ebml_master blockgroup;
     buffer_size_t id_size, settings_size;
-    int size;
+    int size, id_size_int, settings_size_int;
     const char *id, *settings;
     int64_t ts = track->write_dts ? pkt->dts : pkt->pts;
     const int flags = 0;
@@ -2156,6 +2156,10 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
                                        &settings_size);
     settings = settings ? settings : "";
 
+    if (id_size > INT_MAX - 2 || settings_size > INT_MAX - id_size - 2 ||
+        pkt->size > INT_MAX - settings_size - id_size - 2)
+        return AVERROR(EINVAL);
+
     size = id_size + 1 + settings_size + 1 + pkt->size;
 
     /* The following string is identical to the one in mkv_write_block so that
@@ -2175,7 +2179,10 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
     put_ebml_num(pb, track->track_num, track->track_num_size);
     avio_wb16(pb, ts - mkv->cluster_pts);
     avio_w8(pb, flags);
-    avio_printf(pb, "%.*s\n%.*s\n%.*s", id_size, id, settings_size, settings, pkt->size, pkt->data);
+
+    id_size_int       = id_size;
+    settings_size_int = settings_size;
+    avio_printf(pb, "%.*s\n%.*s\n%.*s", id_size_int, id, settings_size_int, settings, pkt->size, pkt->data);
 
     put_ebml_uint(pb, MATROSKA_ID_BLOCKDURATION, pkt->duration);
     end_ebml_master(pb, blockgroup);
@@ -2352,6 +2359,8 @@ static int mkv_write_packet_internal(AVFormatContext *s, const AVPacket *pkt)
     } else {
         if (par->codec_id == AV_CODEC_ID_WEBVTT) {
             duration = mkv_write_vtt_blocks(s, pb, pkt);
+            if (duration < 0)
+                return duration;
         } else {
             ebml_master blockgroup = start_ebml_master(pb, MATROSKA_ID_BLOCKGROUP,
                                                        mkv_blockgroup_size(pkt->size,



More information about the ffmpeg-cvslog mailing list