ffmpeg/libavcodec/dvdsub_parser.c
Aidan MacDonald a4405cc0cc avcodec/dvdsub_parser: Fix length check for short packets
The DVD subtitle parser handles two types of packets: "normal"
packets with a 16-bit length, and HD-DVD packets that set the
16-bit length to 0 and encode a 32-bit length in the next four
bytes. This implies that HD-DVD packets are at least six bytes
long, but the code didn't actually verify this.

The faulty length check results in an out of bounds read for
zero-length "normal" packets that occur in the input, which are
only 2 bytes long, but get misinterpreted as an HD-DVD packet.
When this happens the parser reads packet_len from beyond the
end of the input buffer. The subtitle stream is not correctly
decoded after this point due to the garbage packet_len.

Fixing this is pretty simple: fix the length check so packets
less than 6 bytes long will not be mistakenly parsed as HD-DVD
packets.

Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2022-11-16 08:41:14 +01:00

93 lines
3.0 KiB
C

/*
* DVD subtitle decoding
* Copyright (c) 2005 Fabrice Bellard
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <string.h>
#include "libavutil/intreadwrite.h"
#include "libavutil/mem.h"
#include "avcodec.h"
/* parser definition */
typedef struct DVDSubParseContext {
uint8_t *packet;
int packet_len;
int packet_index;
} DVDSubParseContext;
static int dvdsub_parse(AVCodecParserContext *s,
AVCodecContext *avctx,
const uint8_t **poutbuf, int *poutbuf_size,
const uint8_t *buf, int buf_size)
{
DVDSubParseContext *pc = s->priv_data;
*poutbuf = buf;
*poutbuf_size = buf_size;
if (pc->packet_index == 0) {
if (buf_size < 2 || (AV_RB16(buf) == 0 && buf_size < 6)) {
if (buf_size)
av_log(avctx, AV_LOG_DEBUG, "Parser input %d too small\n", buf_size);
return buf_size;
}
pc->packet_len = AV_RB16(buf);
if (pc->packet_len == 0) /* HD-DVD subpicture packet */
pc->packet_len = AV_RB32(buf+2);
av_freep(&pc->packet);
if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len);
return buf_size;
}
pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE);
}
if (pc->packet) {
if (pc->packet_index + buf_size <= pc->packet_len) {
memcpy(pc->packet + pc->packet_index, buf, buf_size);
pc->packet_index += buf_size;
if (pc->packet_index >= pc->packet_len) {
*poutbuf = pc->packet;
*poutbuf_size = pc->packet_len;
pc->packet_index = 0;
return buf_size;
}
} else {
/* erroneous size */
pc->packet_index = 0;
}
}
*poutbuf = NULL;
*poutbuf_size = 0;
return buf_size;
}
static av_cold void dvdsub_parse_close(AVCodecParserContext *s)
{
DVDSubParseContext *pc = s->priv_data;
av_freep(&pc->packet);
}
const AVCodecParser ff_dvdsub_parser = {
.codec_ids = { AV_CODEC_ID_DVD_SUBTITLE },
.priv_data_size = sizeof(DVDSubParseContext),
.parser_parse = dvdsub_parse,
.parser_close = dvdsub_parse_close,
};