Merge commit '74d98d1b'

* commit '74d98d1b': mpegts: Validate the SL Packet Header Configuration See e630ca51 Our local timestamp_len > 64 is adjusted to > 63 to match the Libav check and the actual specifications (14496-1, 10.2.2). There is no need to request a sample as it violates the specifications and such a file would likely be the result of a crafted/fuzzed sample. On the other hand, the clipping of the value is kept for extra safety. Merged-by: Clément Bœsch <clement@stupeflix.com>

Merge commit '74d98d1b'
* commit '74d98d1b': mpegts: Validate the SL Packet Header Configuration See e630ca51 Our local timestamp_len > 64 is adjusted to > 63 to match the Libav check and the actual specifications (14496-1, 10.2.2). There is no need to request a sample as it violates the specifications and such a file would likely be the result of a crafted/fuzzed sample. On the other hand, the clipping of the value is kept for extra safety. Merged-by: Clément Bœsch <clement@stupeflix.com>
82439dec · Clément Bœsch · 0cd5e281 · 74d98d1b · 82439dec
Commit 82439dec authored Jun 21, 2016 by Clément Bœsch
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 8 deletions

mpegts.c libavformat/mpegts.c +11 -8

No files found.
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1406,6 +1406,14 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len)
    if (!descr)
        return AVERROR_INVALIDDATA;
+#define R8_CHECK_CLIP_MAX(dst, maxv) do {                       \
+    descr->sl.dst = avio_r8(&d->pb);                            \
+    if (descr->sl.dst > maxv) {                                 \
+        descr->sl.dst = maxv;                                   \
+        return AVERROR_INVALIDDATA;                             \
+    }                                                           \
+} while (0)
    predefined = avio_r8(&d->pb);
    if (!predefined) {
        int lengths;
@@ -1418,14 +1426,9 @@ static int parse_MP4SLDescrTag(MP4DescrParseContext *d, int64_t off, int len)
        descr->sl.use_idle        = !!(flags & 0x02);
        descr->sl.timestamp_res   = avio_rb32(&d->pb);
        avio_rb32(&d->pb);
-        descr->sl.timestamp_len      = avio_r8(&d->pb);
+        R8_CHECK_CLIP_MAX(timestamp_len, 63);
-        if (descr->sl.timestamp_len > 64) {
+        R8_CHECK_CLIP_MAX(ocr_len,       63);
-            avpriv_request_sample(NULL, "timestamp_len > 64");
+        R8_CHECK_CLIP_MAX(au_len,        31);
-            descr->sl.timestamp_len = 64;
-            return AVERROR_PATCHWELCOME;
-        }
-        descr->sl.ocr_len            = avio_r8(&d->pb);
-        descr->sl.au_len             = avio_r8(&d->pb);
        descr->sl.inst_bitrate_len   = avio_r8(&d->pb);
        lengths                      = avio_rb16(&d->pb);
        descr->sl.degr_prior_len     = lengths >> 12;