Skip to content

Commit ac45885

Browse files
palemieuxpalemieux
committed
Protect memory allocation parameters
1 parent ea3bb8a commit ac45885

File tree

3 files changed

+31
-3
lines changed

3 files changed

+31
-3
lines changed

libavformat/imf.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ typedef struct FFIMFTrackFileVirtualTrack {
102102
FFIMFBaseVirtualTrack base;
103103
uint32_t resource_count; /**< Number of Resource elements present in the Virtual Track */
104104
FFIMFTrackFileResource *resources; /**< Resource elements of the Virtual Track */
105-
uint32_t resources_alloc_sz; /**< Size of the resources buffer */
105+
unsigned int resources_alloc_sz; /**< Size of the resources buffer */
106106
} FFIMFTrackFileVirtualTrack;
107107

108108
/**

libavformat/imf_cpl.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -324,6 +324,8 @@ static int fill_marker_resource(xmlNodePtr marker_resource_elem,
324324
if (xmlStrcmp(element->name, "Marker") == 0) {
325325
void *tmp;
326326

327+
if (marker_resource->marker_count == UINT32_MAX)
328+
return AVERROR(ENOMEM);
327329
tmp = av_realloc_array(marker_resource->markers,
328330
marker_resource->marker_count + 1,
329331
sizeof(FFIMFMarker));
@@ -384,6 +386,9 @@ static int push_marker_sequence(xmlNodePtr marker_sequence_elem, FFIMFCPL *cpl)
384386
if (!resource_list_elem)
385387
return 0;
386388
resource_elem_count = xmlChildElementCount(resource_list_elem);
389+
if (resource_elem_count > UINT32_MAX
390+
|| cpl->main_markers_track->resource_count > UINT32_MAX - resource_elem_count)
391+
return AVERROR(ENOMEM);
387392
tmp = av_realloc_array(cpl->main_markers_track->resources,
388393
cpl->main_markers_track->resource_count + resource_elem_count,
389394
sizeof(FFIMFMarkerResource));
@@ -456,6 +461,8 @@ static int push_main_audio_sequence(xmlNodePtr audio_sequence_elem, FFIMFCPL *cp
456461

457462
/* create a main audio virtual track if none exists for the sequence */
458463
if (!vt) {
464+
if (cpl->main_audio_track_count == UINT32_MAX)
465+
return AVERROR(ENOMEM);
459466
tmp = av_realloc_array(cpl->main_audio_tracks,
460467
cpl->main_audio_track_count + 1,
461468
sizeof(FFIMFTrackFileVirtualTrack));
@@ -473,6 +480,9 @@ static int push_main_audio_sequence(xmlNodePtr audio_sequence_elem, FFIMFCPL *cp
473480
if (!resource_list_elem)
474481
return 0;
475482
resource_elem_count = xmlChildElementCount(resource_list_elem);
483+
if (resource_elem_count > UINT32_MAX
484+
|| vt->resource_count > UINT32_MAX - resource_elem_count)
485+
return AVERROR(ENOMEM);
476486
tmp = av_fast_realloc(vt->resources,
477487
&vt->resources_alloc_sz,
478488
(vt->resource_count + resource_elem_count) * sizeof(FFIMFTrackFileResource));
@@ -546,6 +556,10 @@ static int push_main_image_2d_sequence(xmlNodePtr image_sequence_elem, FFIMFCPL
546556
if (!resource_list_elem)
547557
return 0;
548558
resource_elem_count = xmlChildElementCount(resource_list_elem);
559+
if (resource_elem_count > UINT32_MAX
560+
|| cpl->main_image_2d_track->resource_count > UINT32_MAX - resource_elem_count
561+
|| (cpl->main_image_2d_track->resource_count + resource_elem_count) > INT_MAX / sizeof(FFIMFTrackFileResource))
562+
return AVERROR(ENOMEM);
549563
tmp = av_fast_realloc(cpl->main_image_2d_track->resources,
550564
&cpl->main_image_2d_track->resources_alloc_sz,
551565
(cpl->main_image_2d_track->resource_count + resource_elem_count) * sizeof(FFIMFTrackFileResource));

libavformat/imfdec.c

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ typedef struct IMFVirtualTrackPlaybackCtx {
9292
AVRational duration;
9393
// Resources
9494
uint32_t resource_count;
95-
uint32_t resources_alloc_sz;
95+
unsigned int resources_alloc_sz;
9696
IMFVirtualTrackResourcePlaybackCtx *resources;
9797
// Decoding cursors
9898
uint32_t current_resource_index;
@@ -154,6 +154,7 @@ static int parse_imf_asset_map_from_xml_dom(AVFormatContext *s,
154154
xmlNodePtr asset_map_element = NULL;
155155
xmlNodePtr node = NULL;
156156
xmlNodePtr asset_element = NULL;
157+
unsigned long elem_count;
157158
char *uri;
158159
int ret = 0;
159160
IMFAssetLocator *asset = NULL;
@@ -180,8 +181,12 @@ static int parse_imf_asset_map_from_xml_dom(AVFormatContext *s,
180181
av_log(s, AV_LOG_ERROR, "Unable to parse asset map XML - missing AssetList node\n");
181182
return AVERROR_INVALIDDATA;
182183
}
184+
elem_count = xmlChildElementCount(node);
185+
if (elem_count > UINT32_MAX
186+
|| asset_map->asset_count > UINT32_MAX - elem_count)
187+
return AVERROR(ENOMEM);
183188
tmp = av_realloc_array(asset_map->assets,
184-
xmlChildElementCount(node) + asset_map->asset_count,
189+
elem_count + asset_map->asset_count,
185190
sizeof(IMFAssetLocator));
186191
if (!tmp) {
187192
av_log(NULL, AV_LOG_ERROR, "Cannot allocate IMF asset locators\n");
@@ -436,6 +441,11 @@ static int open_track_file_resource(AVFormatContext *s,
436441
"Found locator for " FF_IMF_UUID_FORMAT ": %s\n",
437442
UID_ARG(asset_locator->uuid),
438443
asset_locator->absolute_uri);
444+
445+
if (track->resource_count > UINT32_MAX - track_file_resource->base.repeat_count
446+
|| (track->resource_count + track_file_resource->base.repeat_count)
447+
> INT_MAX / sizeof(IMFVirtualTrackResourcePlaybackCtx))
448+
return AVERROR(ENOMEM);
439449
tmp = av_fast_realloc(track->resources,
440450
&track->resources_alloc_sz,
441451
(track->resource_count + track_file_resource->base.repeat_count)
@@ -500,6 +510,10 @@ static int open_virtual_track(AVFormatContext *s,
500510

501511
track->current_timestamp = av_make_q(0, track->duration.den);
502512

513+
if (c->track_count == UINT32_MAX) {
514+
ret = AVERROR(ENOMEM);
515+
goto clean_up;
516+
}
503517
tmp = av_realloc_array(c->tracks, c->track_count + 1, sizeof(IMFVirtualTrackPlaybackCtx *));
504518
if (!tmp) {
505519
ret = AVERROR(ENOMEM);

0 commit comments

Comments
 (0)