From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 2848540421
	for <ffmpegdev@gitmailbox.com>; Wed, 23 Mar 2022 13:34:12 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E6BFD68AA6A;
	Wed, 23 Mar 2022 15:34:09 +0200 (EET)
Received: from relay11.mail.gandi.net (relay11.mail.gandi.net [217.70.178.231])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5C7A868020F
 for <ffmpeg-devel@ffmpeg.org>; Wed, 23 Mar 2022 15:34:03 +0200 (EET)
Received: from localhost (213-47-68-29.cable.dynamic.surfer.at [213.47.68.29])
 (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 50747100016
 for <ffmpeg-devel@ffmpeg.org>; Wed, 23 Mar 2022 13:34:02 +0000 (UTC)
Date: Wed, 23 Mar 2022 14:34:01 +0100
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20220323133401.GT2829255@pb2>
References: <20220323093033.24577-1-michael@niedermayer.cc>
 <20220323093033.24577-2-michael@niedermayer.cc>
 <AS1PR01MB956477C5EFEB4542AD9491BF8F189@AS1PR01MB9564.eurprd01.prod.exchangelabs.com>
MIME-Version: 1.0
In-Reply-To: <AS1PR01MB956477C5EFEB4542AD9491BF8F189@AS1PR01MB9564.eurprd01.prod.exchangelabs.com>
Subject: Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated
 size for overflow
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============1166959167528387318=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20220323133401.GT2829255@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============1166959167528387318==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="x/FQ9EGCaQ9YXQ8+"
Content-Disposition: inline


--x/FQ9EGCaQ9YXQ8+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 23, 2022 at 12:07:25PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in=
 type 'int'
> > Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159=
183893889024
> >=20
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz=
/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/aiffdec.c | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
> >=20
> > diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
> > index 3634bb4960..c2b8e0dede 100644
> > --- a/libavformat/aiffdec.c
> > +++ b/libavformat/aiffdec.c
> > @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
> >  /* Metadata string read */
> >  static void get_meta(AVFormatContext *s, const char *key, int size)
> >  {
> > -    uint8_t *str =3D av_malloc(size+1);
> > +    uint8_t *str;
> > +
> > +    if (size =3D=3D INT_MAX)
> > +        return;
> > +
> > +    str =3D av_malloc(size+1);
> > =20
> >      if (str) {
> >          int res =3D avio_read(s->pb, str, size);
>=20
> If a size of INT_MAX is legal, then you can just use "size + 1U" to
> avoid the wraparound. (The allocation will then fail with the default
> value of max_alloc_size and in this case the avio_skip() will be
> executed, so that we don't lose sync (your patch does that).)

> Looking at get_tag() shows that the size actually comes from a uint32_t
> which gets truncated to INT_MAX if it is not representable in an int. I
> don't know whether the specs mandate this behaviour (probably not, so
> one loses sync). If one wanted to impose an arbitrary limit, I will use
> something much smaller than INT_MAX.

The goal of my patch was to fix the undefined behavior.
You are very correct that aiffdec has other bugs.

ill send a more complete set of fixes=20

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct answe=
r.

--x/FQ9EGCaQ9YXQ8+
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCYjshxQAKCRBhHseHBAsP
q5wrAJ4wrCdrId3heFkWRsYz+SMbKziasQCdGU/IJZOeCmOggHIdwzllhIov/K8=
=Neht
-----END PGP SIGNATURE-----

--x/FQ9EGCaQ9YXQ8+--

--===============1166959167528387318==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============1166959167528387318==--