From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 1D56844252
	for <ffmpegdev@gitmailbox.com>; Mon,  3 Oct 2022 14:50:07 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2985C68BB96;
	Mon,  3 Oct 2022 17:50:04 +0300 (EEST)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0A62168B44E
 for <ffmpeg-devel@ffmpeg.org>; Mon,  3 Oct 2022 17:49:57 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id E68B21C0003;
 Mon,  3 Oct 2022 14:49:56 +0000 (UTC)
Date: Mon, 3 Oct 2022 16:49:55 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20221003144955.GL6583@pb2>
References: <20221002154323.21278-1-michael@niedermayer.cc>
 <4773580.31r3eYUQgx@basile.remlab.net>
MIME-Version: 1.0
In-Reply-To: <4773580.31r3eYUQgx@basile.remlab.net>
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/bonk: Check step
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Piotr Bandurski <ami_stuff@o2.pl>
Content-Type: multipart/mixed; boundary="===============4105147377603235526=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20221003144955.GL6583@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============4105147377603235526==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="h3BncCmUfYp8450W"
Content-Disposition: inline


--h3BncCmUfYp8450W
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 02, 2022 at 07:13:39PM +0300, R=E9mi Denis-Courmont wrote:
> Le sunnuntaina 2. lokakuuta 2022, 18.43.23 EEST Michael Niedermayer a =E9=
crit :
> > Fixes: signed integer overflow: 2040812214 + 255101526 cannot be repres=
ented
> > in type 'int' Fixes:
> > 51323/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-479=
1481
> > 067503616
> >=20
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/bonk.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >=20
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 409694f710d..32f7c9b9bdb 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -187,6 +187,9 @@ static int intlist_read(BonkContext *s, int *buf, i=
nt
> > entries, int base_2_part) if (!dominant)
> >                  n_zeros +=3D steplet;
> >=20
> > +            if (step > INT_MAX/9*8)

if you want the exact limit for any INT_MAX its:
(INT_MAX + 1ULL) / 9 * 8 + (INT_MAX + 1ULL) % 9 - 1;

though probably a fixed bit value would be better anyway for reproducability


> > +                return AVERROR_INVALIDDATA;
> > +
> >              step +=3D step / 8;
> >          } else if (steplet > 0) {
> >              int actual_run =3D read_uint_max(s, steplet - 1);
>=20
> No problem with this patch *specifically* but wouldn't it be more effecti=
ve to=20
> fix that sort of issue with checked arithmetic, e.g. something like:
>=20
>         if (av_ckd_add(&step, step, step / 8))
>             return AVERROR_INVALIDDATA;
>=20
> ...especially on 64-bit systems whence this is really just an add. This a=
lso=20
> avoids having to figure out what the exact boundary value is.

If someone has a set of testfiles for this decoder then I can look at this
and cleanup the code more completely.
i dont know if a step > C vs overflow check is better but i have the suspic=
ion=20
there are more problems as multiple statments around this seem unreachable.
And iam also missing some check that i would expect to be in there=20

I found links to datafilehost.com to test files but they are all expired
so i have no test files, so iam a bit cautious with changes ...

CCing piotr who linked to the files on datafilehost, maybe he still has
them.

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA

--h3BncCmUfYp8450W
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCYzr2kAAKCRBhHseHBAsP
q3w/AJ4/iPGuaqu4YRmAh6NDnkkvQWnPuQCff+dP+N6uuOwVSdJbe+f/Ca7SlNg=
=4dM5
-----END PGP SIGNATURE-----

--h3BncCmUfYp8450W--

--===============4105147377603235526==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============4105147377603235526==--