From 2f2a3397ccf9132237babf9257943bcbe72c315b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 00:22:41 +0200 Subject: avformat/avidec: Prevent entity expansion attacks Fixes: Timeout Fixes no testcase, this is the same idea as similar attacks against XML parsers Signed-off-by: Michael Niedermayer (cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 282f4635fb..c1dfd6cf25 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -80,6 +80,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -233,6 +242,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ -- cgit v1.2.1