* [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments @ 2022-03-23 9:30 Michael Niedermayer 2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer 2022-06-16 23:49 ` [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer 0 siblings, 2 replies; 5+ messages in thread From: Michael Niedermayer @ 2022-03-23 9:30 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: Timeout Fixes: 45875/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-6121689903136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/aaxdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index 0ae4057a53..baa405bb17 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -251,6 +251,10 @@ static int aax_read_header(AVFormatContext *s) size = avio_rb32(pb); a->segments[r].start = start + a->data_offset; a->segments[r].end = a->segments[r].start + size; + if (r && + a->segments[r].start < a->segments[r-1].end && + a->segments[r].end > a->segments[r-1].start) + return AVERROR_INVALIDDATA; } else return AVERROR_INVALIDDATA; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow 2022-03-23 9:30 [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer @ 2022-03-23 9:30 ` Michael Niedermayer 2022-03-23 11:07 ` Andreas Rheinhardt 2022-06-16 23:49 ` [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer 1 sibling, 1 reply; 5+ messages in thread From: Michael Niedermayer @ 2022-03-23 9:30 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/aiffdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 3634bb4960..c2b8e0dede 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) /* Metadata string read */ static void get_meta(AVFormatContext *s, const char *key, int size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str; + + if (size == INT_MAX) + return; + + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow 2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer @ 2022-03-23 11:07 ` Andreas Rheinhardt 2022-03-23 13:34 ` Michael Niedermayer 0 siblings, 1 reply; 5+ messages in thread From: Andreas Rheinhardt @ 2022-03-23 11:07 UTC (permalink / raw) To: ffmpeg-devel Michael Niedermayer: > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/aiffdec.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c > index 3634bb4960..c2b8e0dede 100644 > --- a/libavformat/aiffdec.c > +++ b/libavformat/aiffdec.c > @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) > /* Metadata string read */ > static void get_meta(AVFormatContext *s, const char *key, int size) > { > - uint8_t *str = av_malloc(size+1); > + uint8_t *str; > + > + if (size == INT_MAX) > + return; > + > + str = av_malloc(size+1); > > if (str) { > int res = avio_read(s->pb, str, size); If a size of INT_MAX is legal, then you can just use "size + 1U" to avoid the wraparound. (The allocation will then fail with the default value of max_alloc_size and in this case the avio_skip() will be executed, so that we don't lose sync (your patch does that).) Looking at get_tag() shows that the size actually comes from a uint32_t which gets truncated to INT_MAX if it is not representable in an int. I don't know whether the specs mandate this behaviour (probably not, so one loses sync). If one wanted to impose an arbitrary limit, I will use something much smaller than INT_MAX. - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow 2022-03-23 11:07 ` Andreas Rheinhardt @ 2022-03-23 13:34 ` Michael Niedermayer 0 siblings, 0 replies; 5+ messages in thread From: Michael Niedermayer @ 2022-03-23 13:34 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 2115 bytes --] On Wed, Mar 23, 2022 at 12:07:25PM +0100, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > > Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/aiffdec.c | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c > > index 3634bb4960..c2b8e0dede 100644 > > --- a/libavformat/aiffdec.c > > +++ b/libavformat/aiffdec.c > > @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) > > /* Metadata string read */ > > static void get_meta(AVFormatContext *s, const char *key, int size) > > { > > - uint8_t *str = av_malloc(size+1); > > + uint8_t *str; > > + > > + if (size == INT_MAX) > > + return; > > + > > + str = av_malloc(size+1); > > > > if (str) { > > int res = avio_read(s->pb, str, size); > > If a size of INT_MAX is legal, then you can just use "size + 1U" to > avoid the wraparound. (The allocation will then fail with the default > value of max_alloc_size and in this case the avio_skip() will be > executed, so that we don't lose sync (your patch does that).) > Looking at get_tag() shows that the size actually comes from a uint32_t > which gets truncated to INT_MAX if it is not representable in an int. I > don't know whether the specs mandate this behaviour (probably not, so > one loses sync). If one wanted to impose an arbitrary limit, I will use > something much smaller than INT_MAX. The goal of my patch was to fix the undefined behavior. You are very correct that aiffdec has other bugs. ill send a more complete set of fixes thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB There will always be a question for which you do not know the correct answer. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments 2022-03-23 9:30 [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer 2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer @ 2022-06-16 23:49 ` Michael Niedermayer 1 sibling, 0 replies; 5+ messages in thread From: Michael Niedermayer @ 2022-06-16 23:49 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 635 bytes --] On Wed, Mar 23, 2022 at 10:30:32AM +0100, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: 45875/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-6121689903136768 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/aaxdec.c | 4 ++++ > 1 file changed, 4 insertions(+) will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you think the mosad wants you dead since a long time then you are either wrong or dead since a long time. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-06-16 23:49 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-03-23 9:30 [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer 2022-03-23 9:30 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow Michael Niedermayer 2022-03-23 11:07 ` Andreas Rheinhardt 2022-03-23 13:34 ` Michael Niedermayer 2022-06-16 23:49 ` [FFmpeg-devel] [PATCH 1/2] avformat/aaxdec: Check for overlaping segments Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git