From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id ED9BA461DF for ; Thu, 8 Jun 2023 14:27:07 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 442BA68C311; Thu, 8 Jun 2023 17:26:49 +0300 (EEST) Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2174F68C2F9 for ; Thu, 8 Jun 2023 17:26:42 +0300 (EEST) Received: by mail-yb1-f179.google.com with SMTP id 3f1490d57ef6-bad035c7123so83417276.1 for ; Thu, 08 Jun 2023 07:26:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686234400; x=1688826400; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H62/oohBrFUFMEnZCek7jsjRdnyrGqUuU+NIarT4Ohw=; b=ANe0DyGEusDo3Wew3DUs9wZ8yFp398QagiYJatmZxKd9DGs687YlJD5ZO4uOszfMiE es54vZK4b2/vd0XVyvGZIuSq3KtIlK8VJ09paUQv//0X9z504GCR+fI1h/mleQULDsCH 1yk3jxftwGOTTniQiIXhDXRBX7Y3jTBgvRy7cXPFPy9L4XXZT/0Y1uHlP1dzq9M20sn3 WGMSsBr2LI26a/qAen+lmCwApCKqWeTik6BPFczHIw1YTAwz+UXMS/yzLxzInQtPhH+v vZnU9F4O9zVia8dnwPxLJPunvfhWZpqW2T0Il5biJwbV9NuMGVoBLj8OLaxEpuwj0VMZ zsaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686234400; x=1688826400; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H62/oohBrFUFMEnZCek7jsjRdnyrGqUuU+NIarT4Ohw=; b=UT4Q/Woyio6Gr06i0CqhvCVJc03ZgOIQxKUyPtCY/JVNmHzhjTrWeo+g0UXBikCsbK J2fbO1n6r5xzsWStB5c2cqwAw3rZYbF67qzAPHh6GaPpma5ci3A7SAYdD06G4BHEWA5y CKtx7Fw6dKK++9G8cUUvHiYl5+QaV5iGJJ6kdc8JFWigCN5WBRtQkZtgd3FI3P0b/ELl 7MG6FLetLoDi/YJPTz2qZ6pZTIr/CW5YR4zdYifdLB6VM+D47MKhjAns/hHZ804c6HL3 WcbH5hB+puBNw1ACslYDf+hODJZBbFKK02Bks/R9HaLLaZaU6UBks1ugII1x22RTLzqK P7eA== X-Gm-Message-State: AC+VfDy3dgWDMUbhJp3F/XTG2AeaNm3vuvpUeEmljMH06jN6YI/ssNr0 sk2dhV1/uETwWs6zzpBYrWvejZCo4tQ= X-Google-Smtp-Source: ACHHUZ5/DUM9U5gmdg0ea5R6vQZkexwbXzlCJJR/B7vuv0wRzD4+MlG1mqQwpHvWOYV1tmObgP7rLQ== X-Received: by 2002:a81:574c:0:b0:567:7dc3:2618 with SMTP id l73-20020a81574c000000b005677dc32618mr4247861ywb.1.1686234400312; Thu, 08 Jun 2023 07:26:40 -0700 (PDT) Received: from gauss.local (c-98-224-219-15.hsd1.mi.comcast.net. [98.224.219.15]) by smtp.gmail.com with ESMTPSA id b206-20020a0dd9d7000000b0056943d9cf8fsm414589ywe.9.2023.06.08.07.26.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jun 2023 07:26:40 -0700 (PDT) From: Leo Izen To: ffmpeg-devel@ffmpeg.org Date: Thu, 8 Jun 2023 10:26:34 -0400 Message-Id: <20230608142637.45033-3-leo.izen@gmail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230608142637.45033-1-leo.izen@gmail.com> References: <20230608142637.45033-1-leo.izen@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 2/5] avformat/jpegxl_probe: check length instead of blindly reading X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Michael Niedermayer Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: From: Michael Niedermayer Enable the checked bitreader to avoid overread. Also add a few checks in loops and between blocks so we exit instead of continued execution. Alternatively we could add manual checks so that no overread can happen. This would be slightly faster but a bit more work and a bit more fragile Fixes: Out of array accesses Fixes: 59640/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-6584117345779712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_probe.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 1d9c014f19..e15e9eee49 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -21,6 +21,7 @@ #include "jpegxl_probe.h" +#define UNCHECKED_BITSTREAM_READER 0 #define BITSTREAM_READER_LE #include "libavcodec/get_bits.h" @@ -293,6 +294,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid skip_bits_long(gb, 1); } } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (!all_default) { jpegxl_skip_bit_depth(gb); @@ -307,6 +310,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid for (uint32_t i = 0; i < num_extra_channels; i++) { if (jpegxl_read_extra_channel_info(gb, validate_level) < 0) return -1; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } xyb_encoded = get_bits1(gb); @@ -336,8 +341,11 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid return -1; if (primaries == FF_JPEGXL_PR_CUSTOM) { /* ux/uy values for r,g,b */ - for (int i = 0; i < 6; i++) + for (int i = 0; i < 6; i++) { jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + } } } } @@ -363,10 +371,14 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid skip_bits_long(gb, 16 + 16 + 1 + 16); extensions = jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (extensions) { for (int i = 0; i < 64; i++) { if (extensions & (UINT64_C(1) << i)) jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } } } -- 2.40.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".