* [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments
@ 2022-03-23 9:30 Michael Niedermayer
2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer
2022-06-16 23:49 ` [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
0 siblings, 2 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-03-23 9:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 45875/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-6121689903136768
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/aaxdec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
index 0ae4057a53..baa405bb17 100644
--- a/libavformat/aaxdec.c
+++ b/libavformat/aaxdec.c
@@ -251,6 +251,10 @@ static int aax_read_header(AVFormatContext *s)
size = avio_rb32(pb);
a->segments[r].start = start + a->data_offset;
a->segments[r].end = a->segments[r].start + size;
+ if (r &&
+ a->segments[r].start < a->segments[r-1].end &&
+ a->segments[r].end > a->segments[r-1].start)
+ return AVERROR_INVALIDDATA;
} else
return AVERROR_INVALIDDATA;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow
2022-03-23 9:30 [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
@ 2022-03-23 9:30 ` Michael Niedermayer
2022-03-23 11:07 ` Andreas Rheinhardt
2022-06-16 23:49 ` [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
1 sibling, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2022-03-23 9:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/aiffdec.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 3634bb4960..c2b8e0dede 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
/* Metadata string read */
static void get_meta(AVFormatContext *s, const char *key, int size)
{
- uint8_t *str = av_malloc(size+1);
+ uint8_t *str;
+
+ if (size == INT_MAX)
+ return;
+
+ str = av_malloc(size+1);
if (str) {
int res = avio_read(s->pb, str, size);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow
2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer
@ 2022-03-23 11:07 ` Andreas Rheinhardt
2022-03-23 13:34 ` Michael Niedermayer
0 siblings, 1 reply; 5+ messages in thread
From: Andreas Rheinhardt @ 2022-03-23 11:07 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/aiffdec.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
> index 3634bb4960..c2b8e0dede 100644
> --- a/libavformat/aiffdec.c
> +++ b/libavformat/aiffdec.c
> @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
> /* Metadata string read */
> static void get_meta(AVFormatContext *s, const char *key, int size)
> {
> - uint8_t *str = av_malloc(size+1);
> + uint8_t *str;
> +
> + if (size == INT_MAX)
> + return;
> +
> + str = av_malloc(size+1);
>
> if (str) {
> int res = avio_read(s->pb, str, size);
If a size of INT_MAX is legal, then you can just use "size + 1U" to
avoid the wraparound. (The allocation will then fail with the default
value of max_alloc_size and in this case the avio_skip() will be
executed, so that we don't lose sync (your patch does that).)
Looking at get_tag() shows that the size actually comes from a uint32_t
which gets truncated to INT_MAX if it is not representable in an int. I
don't know whether the specs mandate this behaviour (probably not, so
one loses sync). If one wanted to impose an arbitrary limit, I will use
something much smaller than INT_MAX.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow
2022-03-23 11:07 ` Andreas Rheinhardt
@ 2022-03-23 13:34 ` Michael Niedermayer
0 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-03-23 13:34 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 2115 bytes --]
On Wed, Mar 23, 2022 at 12:07:25PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> > Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavformat/aiffdec.c | 7 ++++++-
> > 1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
> > index 3634bb4960..c2b8e0dede 100644
> > --- a/libavformat/aiffdec.c
> > +++ b/libavformat/aiffdec.c
> > @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
> > /* Metadata string read */
> > static void get_meta(AVFormatContext *s, const char *key, int size)
> > {
> > - uint8_t *str = av_malloc(size+1);
> > + uint8_t *str;
> > +
> > + if (size == INT_MAX)
> > + return;
> > +
> > + str = av_malloc(size+1);
> >
> > if (str) {
> > int res = avio_read(s->pb, str, size);
>
> If a size of INT_MAX is legal, then you can just use "size + 1U" to
> avoid the wraparound. (The allocation will then fail with the default
> value of max_alloc_size and in this case the avio_skip() will be
> executed, so that we don't lose sync (your patch does that).)
> Looking at get_tag() shows that the size actually comes from a uint32_t
> which gets truncated to INT_MAX if it is not representable in an int. I
> don't know whether the specs mandate this behaviour (probably not, so
> one loses sync). If one wanted to impose an arbitrary limit, I will use
> something much smaller than INT_MAX.
The goal of my patch was to fix the undefined behavior.
You are very correct that aiffdec has other bugs.
ill send a more complete set of fixes
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
There will always be a question for which you do not know the correct answer.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments
2022-03-23 9:30 [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer
@ 2022-06-16 23:49 ` Michael Niedermayer
1 sibling, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-06-16 23:49 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 635 bytes --]
On Wed, Mar 23, 2022 at 10:30:32AM +0100, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 45875/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-6121689903136768
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/aaxdec.c | 4 ++++
> 1 file changed, 4 insertions(+)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-06-16 23:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-23 9:30 [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer
2022-03-23 11:07 ` Andreas Rheinhardt
2022-03-23 13:34 ` Michael Niedermayer
2022-06-16 23:49 ` [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git