1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-19 05:49:09 +02:00
FFmpeg/libavformat/jacosubdec.c
Michael Niedermayer 740a71b583
avformat/jacosubdec: Fix overflow in get_shift()
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-6722544461283328
Fixes: signed integer overflow: 48214448 * 60 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1a68127bbcd3d638363fa0249982c494e87c9e2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-09-24 22:58:21 +02:00

267 lines
7.3 KiB
C

/*
* Copyright (c) 2012 Clément Bœsch
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/**
* @file
* JACOsub subtitle demuxer
* @see http://unicorn.us.com/jacosub/jscripts.html
* @todo Support P[ALETTE] directive.
*/
#include "avformat.h"
#include "internal.h"
#include "subtitles.h"
#include "libavcodec/jacosub.h"
#include "libavutil/avstring.h"
#include "libavutil/bprint.h"
#include "libavutil/intreadwrite.h"
typedef struct {
FFDemuxSubtitlesQueue q;
int shift;
unsigned timeres;
} JACOsubContext;
static int timed_line(const char *ptr)
{
char c;
int fs, fe;
return (sscanf(ptr, "%*u:%*u:%*u.%*u %*u:%*u:%*u.%*u %c", &c) == 1 ||
(sscanf(ptr, "@%u @%u %c", &fs, &fe, &c) == 3 && fs < fe));
}
static int jacosub_probe(const AVProbeData *p)
{
const char *ptr = p->buf;
const char *ptr_end = p->buf + p->buf_size;
if (AV_RB24(ptr) == 0xEFBBBF)
ptr += 3; /* skip UTF-8 BOM */
while (ptr < ptr_end) {
while (jss_whitespace(*ptr))
ptr++;
if (*ptr != '#' && *ptr != '\n') {
if (timed_line(ptr))
return AVPROBE_SCORE_EXTENSION + 1;
return 0;
}
ptr += ff_subtitles_next_line(ptr);
}
return 0;
}
static const char * const cmds[] = {
"CLOCKPAUSE",
"DIRECTIVE",
"FONT",
"HRES",
"INCLUDE",
"PALETTE",
"QUANTIZE",
"RAMP",
"SHIFT",
"TIMERES",
};
static int get_jss_cmd(char k)
{
int i;
k = av_toupper(k);
for (i = 0; i < FF_ARRAY_ELEMS(cmds); i++)
if (k == cmds[i][0])
return i;
return -1;
}
static const char *read_ts(JACOsubContext *jacosub, const char *buf,
int64_t *start, int64_t *duration)
{
int len;
unsigned hs, ms, ss, fs; // hours, minutes, seconds, frame start
unsigned he, me, se, fe; // hours, minutes, seconds, frame end
int ts_start, ts_end;
int64_t ts_start64, ts_end64;
/* timed format */
if (sscanf(buf, "%u:%u:%u.%u %u:%u:%u.%u %n",
&hs, &ms, &ss, &fs,
&he, &me, &se, &fe, &len) == 8) {
ts_start = (hs*3600 + ms*60 + ss) * jacosub->timeres + fs;
ts_end = (he*3600 + me*60 + se) * jacosub->timeres + fe;
goto shift_and_ret;
}
/* timestamps format */
if (sscanf(buf, "@%u @%u %n", &ts_start, &ts_end, &len) == 2)
goto shift_and_ret;
return NULL;
shift_and_ret:
ts_start64 = (ts_start + (int64_t)jacosub->shift) * 100LL / jacosub->timeres;
ts_end64 = (ts_end + (int64_t)jacosub->shift) * 100LL / jacosub->timeres;
*start = ts_start64;
*duration = ts_end64 - ts_start64;
return buf + len;
}
static int get_shift(int timeres, const char *buf)
{
int sign = 1;
int a = 0, b = 0, c = 0, d = 0;
int64_t ret;
#define SSEP "%*1[.:]"
int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d);
#undef SSEP
if (a == INT_MIN)
return 0;
if (*buf == '-' || a < 0) {
sign = -1;
a = FFABS(a);
}
ret = 0;
switch (n) {
case 4:
ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d);
break;
case 3:
ret = sign * (( (int64_t)a*60 + b) * timeres + c);
break;
case 2:
ret = sign * (( (int64_t)a) * timeres + b);
break;
}
if ((int)ret != ret)
ret = 0;
return ret;
}
static int jacosub_read_header(AVFormatContext *s)
{
AVBPrint header;
AVIOContext *pb = s->pb;
char line[JSS_MAX_LINESIZE];
JACOsubContext *jacosub = s->priv_data;
int shift_set = 0; // only the first shift matters
int merge_line = 0;
int i, ret;
AVStream *st = avformat_new_stream(s, NULL);
if (!st)
return AVERROR(ENOMEM);
avpriv_set_pts_info(st, 64, 1, 100);
st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
st->codecpar->codec_id = AV_CODEC_ID_JACOSUB;
jacosub->timeres = 30;
av_bprint_init(&header, 1024+AV_INPUT_BUFFER_PADDING_SIZE, 4096);
while (!avio_feof(pb)) {
int cmd_len;
const char *p = line;
int64_t pos = avio_tell(pb);
int len = ff_get_line(pb, line, sizeof(line));
p = jss_skip_whitespace(p);
/* queue timed line */
if (merge_line || timed_line(p)) {
AVPacket *sub;
sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line);
if (!sub) {
av_bprint_finalize(&header, NULL);
return AVERROR(ENOMEM);
}
sub->pos = pos;
merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n");
continue;
}
/* skip all non-compiler commands and focus on the command */
if (*p != '#')
continue;
p++;
i = get_jss_cmd(p[0]);
if (i == -1)
continue;
/* trim command + spaces */
cmd_len = strlen(cmds[i]);
if (av_strncasecmp(p, cmds[i], cmd_len) == 0)
p += cmd_len;
else
p++;
p = jss_skip_whitespace(p);
/* handle commands which affect the whole script */
switch (cmds[i][0]) {
case 'S': // SHIFT command affect the whole script...
if (!shift_set) {
jacosub->shift = get_shift(jacosub->timeres, p);
shift_set = 1;
}
av_bprintf(&header, "#S %s", p);
break;
case 'T': // ...but must be placed after TIMERES
jacosub->timeres = strtol(p, NULL, 10);
if (!jacosub->timeres)
jacosub->timeres = 30;
else
av_bprintf(&header, "#T %s", p);
break;
}
}
/* general/essential directives in the extradata */
ret = ff_bprint_to_codecpar_extradata(st->codecpar, &header);
if (ret < 0)
return ret;
/* SHIFT and TIMERES affect the whole script so packet timing can only be
* done in a second pass */
for (i = 0; i < jacosub->q.nb_subs; i++) {
AVPacket *sub = jacosub->q.subs[i];
read_ts(jacosub, sub->data, &sub->pts, &sub->duration);
}
ff_subtitles_queue_finalize(s, &jacosub->q);
return 0;
}
const AVInputFormat ff_jacosub_demuxer = {
.name = "jacosub",
.long_name = NULL_IF_CONFIG_SMALL("JACOsub subtitle format"),
.priv_data_size = sizeof(JACOsubContext),
.flags_internal = FF_FMT_INIT_CLEANUP,
.read_probe = jacosub_probe,
.read_header = jacosub_read_header,
.read_packet = ff_subtitles_read_packet,
.read_seek2 = ff_subtitles_read_seek,
.read_close = ff_subtitles_read_close,
};