From f17200f600548e2cba090bbc3658ee330e41529d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 15 Apr 2020 20:54:42 +0200 Subject: [PATCH] fftools/ffmpeg_opt: Check attachment filesize The data of an attachment file is put into an AVCodecParameter's extradata. The corresponding size field has type int, yet there was no check for the size to fit into an int. As a consequence, it was possible to create extradata with negative size (by using a big enough max_alloc). Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit systems) then the file size might be truncated before the allocation; and avio_read() takes an int, too, so one would not have read as much as one desired. Furthermore, the extradata is now padded as is required. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80) Signed-off-by: Andreas Rheinhardt --- ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index e73a61059f..5f53a7a89d 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2303,12 +2303,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0;