From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 07463446F1
	for <ffmpegdev@gitmailbox.com>; Wed, 21 Sep 2022 09:35:28 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 52EF068BB50;
	Wed, 21 Sep 2022 12:35:26 +0300 (EEST)
Received: from relay10.mail.gandi.net (relay10.mail.gandi.net [217.70.178.230])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 65BCB68B8C8
 for <ffmpeg-devel@ffmpeg.org>; Wed, 21 Sep 2022 12:35:19 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 8084324000C
 for <ffmpeg-devel@ffmpeg.org>; Wed, 21 Sep 2022 09:35:18 +0000 (UTC)
Date: Wed, 21 Sep 2022 11:35:17 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20220921093517.GD6583@pb2>
References: <20220918171410.31835-1-michael@niedermayer.cc>
 <20220918171410.31835-2-michael@niedermayer.cc>
 <ab75bceca060624fe9b4efc49b8601d51ec131b0.camel@acc.umu.se>
 <5b3fa2ba445e5fae04459c5ea4f5d982d3a0a0eb.camel@acc.umu.se>
MIME-Version: 1.0
In-Reply-To: <5b3fa2ba445e5fae04459c5ea4f5d982d3a0a0eb.camel@acc.umu.se>
Subject: Re: [FFmpeg-devel] [PATCH 02/13] avformat/mxfdec: Check run_in to
 fit in int and be valid
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============7826239397630785521=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20220921093517.GD6583@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============7826239397630785521==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="Xm/fll+QQv+hsKip"
Content-Disposition: inline


--Xm/fll+QQv+hsKip
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 20, 2022 at 01:20:00PM +0200, Tomas H=E4rdin wrote:
> tis 2022-09-20 klockan 13:07 +0200 skrev Tomas H=E4rdin:
> > s=F6n 2022-09-18 klockan 19:13 +0200 skrev Michael Niedermayer:
> > > Fixes: signed integer overflow: 9223372036854775807 - -2146905566
> > > cannot be represented in type 'long'
> > > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> > > 6570996594769920
> > >=20
> > > Found-by: continuous fuzzing process=20
> > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > > =A0libavformat/mxfdec.c | 6 +++++-
> > > =A01 file changed, 5 insertions(+), 1 deletion(-)
> > >=20
> > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > > index e63e803aa56..da81fea3bc1 100644
> > > --- a/libavformat/mxfdec.c
> > > +++ b/libavformat/mxfdec.c
> > > @@ -3681,6 +3681,7 @@ static int mxf_read_header(AVFormatContext
> > > *s)
> > > =A0=A0=A0=A0 KLVPacket klv;
> > > =A0=A0=A0=A0 int64_t essence_offset =3D 0;
> > > =A0=A0=A0=A0 int ret;
> > > +=A0=A0=A0 int64_t run_in;
> > > =A0
> > > =A0=A0=A0=A0 mxf->last_forward_tell =3D INT64_MAX;
> > > =A0
> > > @@ -3690,7 +3691,10 @@ static int mxf_read_header(AVFormatContext
> > > *s)
> > > =A0=A0=A0=A0 }
> > > =A0=A0=A0=A0 avio_seek(s->pb, -14, SEEK_CUR);
> > > =A0=A0=A0=A0 mxf->fc =3D s;
> > > -=A0=A0=A0 mxf->run_in =3D avio_tell(s->pb);
> > > +=A0=A0=A0 run_in =3D avio_tell(s->pb);
> > > +=A0=A0=A0 if (run_in < 0 || run_in !=3D (int)run_in)
> >=20
> > run_in > INT_MAX is more clear
> >=20
> > It strikes me that run_in is also used in lots of places in the
> > demuxer
> > without checking for overflow
>=20
> I went and checked S377m and the run-in sequence "shall be less than
> 65536 bytes long". Both the 2004 and 2009 version of the spec agree on
> this. So we should reject run_in >=3D 65536, and mxf_probe() should be
> similarly adjusted.

ok, will do

thx for checking

i will change the patch by:
@@ -3717,7 +3717,7 @@ static int mxf_read_header(AVFormatContext *s)
     avio_seek(s->pb, -14, SEEK_CUR);
     mxf->fc =3D s;
     run_in =3D avio_tell(s->pb);
-    if (run_in < 0 || run_in !=3D (int)run_in)
+    if (run_in < 0 || run_in > 65535)
         return AVERROR_INVALIDDATA;
     mxf->run_in =3D run_in;
=20
@@ -4125,7 +4125,7 @@ static int mxf_read_close(AVFormatContext *s)
=20
 static int mxf_probe(const AVProbeData *p) {
     const uint8_t *bufp =3D p->buf;
-    const uint8_t *end =3D p->buf + p->buf_size;
+    const uint8_t *end =3D p->buf + FFMIN(p->buf_size, 65536 + sizeof(mxf_=
header_partition_pack_key));
=20
     if (p->buf_size < sizeof(mxf_header_partition_pack_key))
         return 0;

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates

--Xm/fll+QQv+hsKip
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCYyra0QAKCRBhHseHBAsP
q+z+AJ94hy8hxy4VcJJsDQdzbuoYlaGQXgCgldMki7SdU1rAtTTQa+OkQrFyi2E=
=9bYF
-----END PGP SIGNATURE-----

--Xm/fll+QQv+hsKip--

--===============7826239397630785521==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============7826239397630785521==--