avformat/mms: Add missing chunksize check

Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch <paulcher@icloud.com> 1st hunk by Paul Ch <paulcher@icloud.com> Tested-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/mms: Add missing chunksize check
Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch <paulcher@icloud.com> 1st hunk by Paul Ch <paulcher@icloud.com> Tested-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
cced03dd · Michael Niedermayer · a2317556 · cced03dd
Commit cced03dd authored Jul 03, 2018 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 18 deletions

mms.c libavformat/mms.c +26 -18

No files found.
--- a/libavformat/mms.c
+++ b/libavformat/mms.c
@@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms)
                }
            }
        } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) {
-            flags     = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
+            if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) {
-            stream_id = flags & 0x7F;
+                flags     = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
-            //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size,
+                stream_id = flags & 0x7F;
-            //we can calculate the packet size by stream_num.
+                //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size,
-            //Please see function send_stream_selection_request().
+                //we can calculate the packet size by stream_num.
-            if (mms->stream_num < MMS_MAX_STREAMS &&
+                //Please see function send_stream_selection_request().
-                    46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) {
+                if (mms->stream_num < MMS_MAX_STREAMS &&
-                mms->streams = av_fast_realloc(mms->streams,
+                        46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) {
-                                   &mms->nb_streams_allocated,
+                    mms->streams = av_fast_realloc(mms->streams,
-                                   (mms->stream_num + 1) * sizeof(MMSStream));
+                                       &mms->nb_streams_allocated,
-                if (!mms->streams)
+                                       (mms->stream_num + 1) * sizeof(MMSStream));
-                    return AVERROR(ENOMEM);
+                    if (!mms->streams)
-                mms->streams[mms->stream_num].id = stream_id;
+                        return AVERROR(ENOMEM);
-                mms->stream_num++;
+                    mms->streams[mms->stream_num].id = stream_id;
-            } else {
+                    mms->stream_num++;
-                av_log(NULL, AV_LOG_ERROR,
+                } else {
-                       "Corrupt stream (too many A/V streams)\n");
+                    av_log(NULL, AV_LOG_ERROR,
-                return AVERROR_INVALIDDATA;
+                           "Corrupt stream (too many A/V streams)\n");
+                    return AVERROR_INVALIDDATA;
+                }
            }
        } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) {
            if (end - p >= 88) {
@@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms)
            }
        } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
            chunksize = 46; // see references [2] section 3.4. This should be set 46.
+            if (chunksize > end - p) {
+                av_log(NULL, AV_LOG_ERROR,
+                    "Corrupt stream (header chunksize %"PRId64" is invalid)\n",
+                    chunksize);
+                return AVERROR_INVALIDDATA;
+            }
        }
        p += chunksize;
    }