1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-28 20:53:54 +02:00
FFmpeg/libavformat/subviewerdec.c
Michael Niedermayer b7f51428b1 avformat/subviewerdec: fail on AV_NOPTS_VALUE
Such values are not supported by ff_subtitles_queue*

Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 18:44:31 +02:00

217 lines
6.9 KiB
C

/*
* Copyright (c) 2012 Clément Bœsch
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/**
* @file
* SubViewer subtitle demuxer
* @see https://en.wikipedia.org/wiki/SubViewer
*/
#include "avformat.h"
#include "internal.h"
#include "subtitles.h"
#include "avio_internal.h"
#include "libavcodec/internal.h"
#include "libavutil/avstring.h"
#include "libavutil/bprint.h"
#include "libavutil/intreadwrite.h"
typedef struct {
FFDemuxSubtitlesQueue q;
} SubViewerContext;
static int subviewer_probe(const AVProbeData *p)
{
char c;
const unsigned char *ptr = p->buf;
if (AV_RB24(ptr) == 0xEFBBBF)
ptr += 3; /* skip UTF-8 BOM */
if (sscanf(ptr, "%*u:%*u:%*u.%*u,%*u:%*u:%*u.%*u%c", &c) == 1)
return AVPROBE_SCORE_EXTENSION;
if (!strncmp(ptr, "[INFORMATION]", 13))
return AVPROBE_SCORE_MAX/3;
return 0;
}
static int read_ts(const char *s, int64_t *start, int *duration)
{
int64_t end;
int hh1, mm1, ss1, ms1;
int hh2, mm2, ss2, ms2;
int multiplier = 1;
if (sscanf(s, "%u:%u:%u.%2u,%u:%u:%u.%2u",
&hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
multiplier = 10;
} else if (sscanf(s, "%u:%u:%u.%1u,%u:%u:%u.%1u",
&hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
multiplier = 100;
}
if (sscanf(s, "%u:%u:%u.%u,%u:%u:%u.%u",
&hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
ms1 = FFMIN(ms1, 999);
ms2 = FFMIN(ms2, 999);
end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier;
*start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier;
*duration = end - *start;
return 0;
}
return -1;
}
static int subviewer_read_header(AVFormatContext *s)
{
SubViewerContext *subviewer = s->priv_data;
AVStream *st = avformat_new_stream(s, NULL);
AVBPrint header;
int res = 0, new_event = 1;
int64_t pts_start = AV_NOPTS_VALUE;
int duration = -1;
AVPacket *sub = NULL;
if (!st)
return AVERROR(ENOMEM);
res = ffio_ensure_seekback(s->pb, 3);
if (res < 0)
return res;
if (avio_rb24(s->pb) != 0xefbbbf)
avio_seek(s->pb, -3, SEEK_CUR);
avpriv_set_pts_info(st, 64, 1, 1000);
st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
st->codecpar->codec_id = AV_CODEC_ID_SUBVIEWER;
av_bprint_init(&header, 0, AV_BPRINT_SIZE_UNLIMITED);
while (!avio_feof(s->pb)) {
char line[2048];
int64_t pos = 0;
int len = ff_get_line(s->pb, line, sizeof(line));
if (!len)
break;
line[strcspn(line, "\r\n")] = 0;
if (line[0] == '[' && strncmp(line, "[br]", 4)) {
/* ignore event style, XXX: add to side_data? */
if (strstr(line, "[COLF]") || strstr(line, "[SIZE]") ||
strstr(line, "[FONT]") || strstr(line, "[STYLE]"))
continue;
if (!st->codecpar->extradata) { // header not finalized yet
av_bprintf(&header, "%s\n", line);
if (!strncmp(line, "[END INFORMATION]", 17) || !strncmp(line, "[SUBTITLE]", 10)) {
/* end of header */
res = ff_bprint_to_codecpar_extradata(st->codecpar, &header);
if (res < 0)
goto end;
} else if (strncmp(line, "[INFORMATION]", 13)) {
/* assume file metadata at this point */
int i, j = 0;
char key[32], value[128];
for (i = 1; i < sizeof(key) - 1 && line[i] && line[i] != ']'; i++)
key[i - 1] = av_tolower(line[i]);
key[i - 1] = 0;
if (line[i] == ']')
i++;
while (line[i] == ' ')
i++;
while (j < sizeof(value) - 1 && line[i] && line[i] != ']')
value[j++] = line[i++];
value[j] = 0;
av_dict_set(&s->metadata, key, value, 0);
}
}
} else if (read_ts(line, &pts_start, &duration) >= 0) {
new_event = 1;
pos = avio_tell(s->pb);
} else if (*line) {
if (pts_start == AV_NOPTS_VALUE) {
res = AVERROR_INVALIDDATA;
goto end;
}
if (!new_event) {
sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1);
if (!sub) {
res = AVERROR(ENOMEM);
goto end;
}
}
sub = ff_subtitles_queue_insert(&subviewer->q, line, strlen(line), !new_event);
if (!sub) {
res = AVERROR(ENOMEM);
goto end;
}
if (new_event) {
sub->pos = pos;
sub->pts = pts_start;
sub->duration = duration;
}
new_event = 0;
}
}
ff_subtitles_queue_finalize(s, &subviewer->q);
end:
if (res < 0)
ff_subtitles_queue_clean(&subviewer->q);
av_bprint_finalize(&header, NULL);
return res;
}
static int subviewer_read_packet(AVFormatContext *s, AVPacket *pkt)
{
SubViewerContext *subviewer = s->priv_data;
return ff_subtitles_queue_read_packet(&subviewer->q, pkt);
}
static int subviewer_read_seek(AVFormatContext *s, int stream_index,
int64_t min_ts, int64_t ts, int64_t max_ts, int flags)
{
SubViewerContext *subviewer = s->priv_data;
return ff_subtitles_queue_seek(&subviewer->q, s, stream_index,
min_ts, ts, max_ts, flags);
}
static int subviewer_read_close(AVFormatContext *s)
{
SubViewerContext *subviewer = s->priv_data;
ff_subtitles_queue_clean(&subviewer->q);
return 0;
}
AVInputFormat ff_subviewer_demuxer = {
.name = "subviewer",
.long_name = NULL_IF_CONFIG_SMALL("SubViewer subtitle format"),
.priv_data_size = sizeof(SubViewerContext),
.read_probe = subviewer_probe,
.read_header = subviewer_read_header,
.read_packet = subviewer_read_packet,
.read_seek2 = subviewer_read_seek,
.read_close = subviewer_read_close,
.extensions = "sub",
};