From 15af596205478e3bd1957ebca33acd7079cc8552 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Mon, 5 Dec 2016 08:02:33 -0500 Subject: [PATCH] http: make length/offset-related variables unsigned. Fixes #5992, reported and found by Paul Cher . Gbp-Pq: Name CVE-2016-10190.patch --- libavformat/http.c | 72 ++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 34 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index f445e83..5bf07d5 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -52,8 +52,8 @@ typedef struct { int line_count; int http_code; /* Used if "Transfer-Encoding: chunked" otherwise -1. */ - int64_t chunksize; - int64_t off, end_off, filesize; + uint64_t chunksize; + uint64_t off, end_off, filesize; char *location; HTTPAuthState auth_state; HTTPAuthState proxy_auth_state; @@ -75,9 +75,9 @@ typedef struct { int post_datalen; int icy; /* how much data was read since the last ICY metadata packet */ - int icy_data_read; + uint64_t icy_data_read; /* after how many bytes of read data a new metadata packet will be found */ - int icy_metaint; + uint64_t icy_metaint; char *icy_metadata_headers; char *icy_metadata_packet; AVDictionary *metadata; @@ -278,7 +278,7 @@ static int http_open(URLContext *h, const char *uri, int flags, h->is_streamed = 1; - s->filesize = -1; + s->filesize = UINT64_MAX; s->location = av_strdup(uri); if (!s->location) return AVERROR(ENOMEM); @@ -375,9 +375,9 @@ static void parse_content_range(URLContext *h, const char *p) if (!strncmp(p, "bytes ", 6)) { p += 6; - s->off = strtoll(p, NULL, 10); + s->off = strtoull(p, NULL, 10); if ((slash = strchr(p, '/')) && strlen(slash) > 0) - s->filesize = strtoll(slash + 1, NULL, 10); + s->filesize = strtoull(slash + 1, NULL, 10); } h->is_streamed = 0; /* we _can_ in fact seek */ } @@ -479,8 +479,9 @@ static int process_line(URLContext *h, char *line, int line_count, if ((ret = parse_location(s, p)) < 0) return ret; *new_location = 1; - } else if (!av_strcasecmp(tag, "Content-Length") && s->filesize == -1) { - s->filesize = strtoll(p, NULL, 10); + } else if (!av_strcasecmp(tag, "Content-Length") && + s->filesize == UINT64_MAX) { + s->filesize = strtoull(p, NULL, 10); } else if (!av_strcasecmp(tag, "Content-Range")) { parse_content_range(h, p); } else if (!av_strcasecmp(tag, "Accept-Ranges") && @@ -488,7 +489,7 @@ static int process_line(URLContext *h, char *line, int line_count, h->is_streamed = 0; } else if (!av_strcasecmp(tag, "Transfer-Encoding") && !av_strncasecmp(p, "chunked", 7)) { - s->filesize = -1; + s->filesize = UINT64_MAX; s->chunksize = 0; } else if (!av_strcasecmp(tag, "WWW-Authenticate")) { ff_http_auth_handle_header(&s->auth_state, tag, p); @@ -503,7 +504,7 @@ static int process_line(URLContext *h, char *line, int line_count, av_free(s->mime_type); s->mime_type = av_strdup(p); } else if (!av_strcasecmp(tag, "Icy-MetaInt")) { - s->icy_metaint = strtoll(p, NULL, 10); + s->icy_metaint = strtoull(p, NULL, 10); } else if (!av_strncasecmp(tag, "Icy-", 4)) { if ((ret = parse_icy(s, tag, p)) < 0) return ret; @@ -529,7 +530,7 @@ static int http_read_header(URLContext *h, int *new_location) char line[MAX_URL_SIZE]; int err = 0; - s->chunksize = -1; + s->chunksize = UINT64_MAX; for (;;) { if ((err = http_get_line(s, line, sizeof(line))) < 0) @@ -556,7 +557,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int post, err; char headers[HTTP_HEADERS_SIZE] = ""; char *authstr = NULL, *proxyauthstr = NULL; - int64_t off = s->off; + uint64_t off = s->off; int len = 0; const char *method; int send_expect_100 = 0; @@ -604,7 +605,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, // server supports seeking by analysing the reply headers. if (!has_header(s->headers, "\r\nRange: ") && !post) { len += av_strlcatf(headers + len, sizeof(headers) - len, - "Range: bytes=%"PRId64"-", s->off); + "Range: bytes=%"PRIu64"-", s->off); if (s->end_off) len += av_strlcatf(headers + len, sizeof(headers) - len, "%"PRId64, s->end_off - 1); @@ -671,7 +672,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, s->line_count = 0; s->off = 0; s->icy_data_read = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; s->willclose = 0; s->end_chunked_post = 0; s->end_header = 0; @@ -688,7 +689,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (err < 0) return err; - return (off == s->off) ? 0 : -1; + return (off == s->off) ? 0 : UINT64_MAX; } static int http_buf_read(URLContext *h, uint8_t *buf, int size) @@ -703,15 +704,13 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) memcpy(buf, s->buf_ptr, len); s->buf_ptr += len; } else { - int64_t target_end = s->end_off ? s->end_off : s->filesize; - if ((!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off >= target_end) + uint64_t target_end = s->end_off ? s->end_off : s->filesize; + if ((!s->willclose || s->chunksize == UINT64_MAX) && s->off >= target_end) return AVERROR_EOF; len = ffurl_read(s->hd, buf, size); - if (!len && (!s->willclose || s->chunksize < 0) && - target_end >= 0 && s->off < target_end) { + if (!len && (!s->willclose || s->chunksize == UINT64_MAX) && s->off < target_end) { av_log(h, AV_LOG_ERROR, - "Streams ends prematurly at %"PRId64", should be %"PRId64"\n", + "Streams ends prematurly at %"PRIu64", should be %"PRIu64"\n", s->off, target_end ); return AVERROR(EIO); @@ -772,7 +771,7 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } - if (s->chunksize >= 0) { + if (s->chunksize != UINT64_MAX) { if (!s->chunksize) { char line[32]; @@ -782,19 +781,23 @@ static int http_read_stream(URLContext *h, uint8_t *buf, int size) return err; } while (!*line); /* skip CR LF from last chunk */ - s->chunksize = strtoll(line, NULL, 16); + s->chunksize = strtoull(line, NULL, 16); - av_dlog(NULL, "Chunked encoding data size: %"PRId64"'\n", + av_log(h, AV_LOG_DEBUG, + "Chunked encoding data size: %"PRIu64"'\n", s->chunksize); - if (s->chunksize < 0) - return AVERROR_INVALIDDATA; - else if (!s->chunksize) + if (!s->chunksize) return 0; - break; + else if (s->chunksize == UINT64_MAX) { + av_log(h, AV_LOG_ERROR, "Invalid chunk size %"PRIu64"\n", + s->chunksize); + return AVERROR_INVALIDDATA; + } } } size = FFMIN(size, s->chunksize); } + #if CONFIG_ZLIB if (s->compressed) return http_buf_read_compressed(h, buf, size); @@ -844,10 +847,11 @@ static int store_icy(URLContext *h, int size) { HTTPContext *s = h->priv_data; /* until next metadata packet */ - int remaining = s->icy_metaint - s->icy_data_read; + uint64_t remaining; - if (remaining < 0) + if (s->icy_metaint < s->icy_data_read) return AVERROR_INVALIDDATA; + remaining = s->icy_metaint - s->icy_data_read; if (!remaining) { /* The metadata packet is variable sized. It has a 1 byte header @@ -960,7 +964,7 @@ static int64_t http_seek(URLContext *h, int64_t off, int whence) { HTTPContext *s = h->priv_data; URLContext *old_hd = s->hd; - int64_t old_off = s->off; + uint64_t old_off = s->off; uint8_t old_buf[BUFFER_SIZE]; int old_buf_size, ret; AVDictionary *options = NULL; @@ -970,7 +974,7 @@ static int64_t http_seek(URLContext *h, int64_t off, int whence) else if ((whence == SEEK_CUR && off == 0) || (whence == SEEK_SET && off == s->off)) return s->off; - else if ((s->filesize == -1 && whence == SEEK_END) || h->is_streamed) + else if ((s->filesize == UINT64_MAX && whence == SEEK_END) || h->is_streamed) return AVERROR(ENOSYS); /* we save the old context in case the seek fails */ @@ -1105,7 +1109,7 @@ redo: s->buf_ptr = s->buffer; s->buf_end = s->buffer; s->line_count = 0; - s->filesize = -1; + s->filesize = UINT64_MAX; cur_auth_type = s->proxy_auth_state.auth_type; /* Note: This uses buffering, potentially reading more than the -- 2.30.2