* [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes
@ 2023-06-08 14:26 Leo Izen
2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 1/5] avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() Leo Izen
` (4 more replies)
0 siblings, 5 replies; 11+ messages in thread
From: Leo Izen @ 2023-06-08 14:26 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Leo Izen
Three patches from michalni copied exactly as is from the ML just placed
here for clarity.
The two authored by me, the probe change is cosmetic, and the animation
dec change fixes the issue referenced a cvslog email: <20230608002033.GF870501@pb2>
Leo Izen (2):
avformat/jpegxl_probe: inline various ret < 0 checks
avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container
Michael Niedermayer (3):
avformat/jpegxl_probe: Remove intermediate macro obfuscation around
get_bits*()
avformat/jpegxl_probe: check length instead of blindly reading
avformat/jpegxl_probe: Forward error codes
libavformat/jpegxl_anim_dec.c | 8 +-
libavformat/jpegxl_probe.c | 198 ++++++++++++++++++----------------
2 files changed, 112 insertions(+), 94 deletions(-)
--
2.40.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread* [FFmpeg-devel] [PATCH 1/5] avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() 2023-06-08 14:26 [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes Leo Izen @ 2023-06-08 14:26 ` Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 2/5] avformat/jpegxl_probe: check length instead of blindly reading Leo Izen ` (3 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: Leo Izen @ 2023-06-08 14:26 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Michael Niedermayer From: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/jpegxl_probe.c | 169 +++++++++++++++++++------------------ 1 file changed, 85 insertions(+), 84 deletions(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index a3845b037d..1d9c014f19 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -57,49 +57,50 @@ enum JpegXLPrimaries { FF_JPEGXL_PR_P3 = 11, }; -#define jxl_bits(n) get_bits_long(gb, (n)) -#define jxl_bits_skip(n) skip_bits_long(gb, (n)) -#define jxl_u32(c0, c1, c2, c3, u0, u1, u2, u3) jpegxl_u32(gb, \ - (const uint32_t[]){c0, c1, c2, c3}, (const uint32_t[]){u0, u1, u2, u3}) -#define jxl_u64() jpegxl_u64(gb) -#define jxl_enum() jxl_u32(0, 1, 2, 18, 0, 0, 4, 6) - /* read a U32(c_i + u(u_i)) */ -static uint32_t jpegxl_u32(GetBitContext *gb, - const uint32_t constants[4], const uint32_t ubits[4]) +static av_always_inline uint32_t jxl_u32(GetBitContext *gb, + uint32_t c0, uint32_t c1, uint32_t c2, uint32_t c3, + uint32_t u0, uint32_t u1, uint32_t u2, uint32_t u3) { - uint32_t ret, choice = jxl_bits(2); + const uint32_t constants[4] = {c0, c1, c2, c3}; + const uint32_t ubits [4] = {u0, u1, u2, u3}; + uint32_t ret, choice = get_bits(gb, 2); ret = constants[choice]; if (ubits[choice]) - ret += jxl_bits(ubits[choice]); + ret += get_bits_long(gb, ubits[choice]); return ret; } +static av_always_inline uint32_t jxl_enum(GetBitContext *gb) +{ + return jxl_u32(gb, 0, 1, 2, 18, 0, 0, 4, 6); +} + /* read a U64() */ static uint64_t jpegxl_u64(GetBitContext *gb) { uint64_t shift = 12, ret; - switch (jxl_bits(2)) { + switch (get_bits(gb, 2)) { case 0: ret = 0; break; case 1: - ret = 1 + jxl_bits(4); + ret = 1 + get_bits(gb, 4); break; case 2: - ret = 17 + jxl_bits(8); + ret = 17 + get_bits(gb, 8); break; case 3: - ret = jxl_bits(12); - while (jxl_bits(1)) { + ret = get_bits(gb, 12); + while (get_bits1(gb)) { if (shift < 60) { - ret |= (uint64_t)jxl_bits(8) << shift; + ret |= (uint64_t)get_bits(gb, 8) << shift; shift += 8; } else { - ret |= (uint64_t)jxl_bits(4) << shift; + ret |= (uint64_t)get_bits(gb, 4) << shift; break; } } @@ -142,18 +143,18 @@ static int jpegxl_read_size_header(GetBitContext *gb) { uint32_t width, height; - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* small size header */ - height = (jxl_bits(5) + 1) << 3; - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = (get_bits(gb, 5) + 1) << 3; + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = (jxl_bits(5) + 1) << 3; + width = (get_bits(gb, 5) + 1) << 3; } else { /* large size header */ - height = 1 + jxl_u32(0, 0, 0, 0, 9, 13, 18, 30); - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = 1 + jxl_u32(gb, 0, 0, 0, 0, 9, 13, 18, 30); + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = 1 + jxl_u32(0, 0, 0, 0, 9, 13, 18, 30); + width = 1 + jxl_u32(gb, 0, 0, 0, 0, 9, 13, 18, 30); } if (width > (1 << 18) || height > (1 << 18) || (width >> 4) * (height >> 4) > (1 << 20)) @@ -170,18 +171,18 @@ static int jpegxl_read_preview_header(GetBitContext *gb) { uint32_t width, height; - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* coded height and width divided by eight */ - height = jxl_u32(16, 32, 1, 33, 0, 0, 5, 9) << 3; - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = jxl_u32(gb, 16, 32, 1, 33, 0, 0, 5, 9) << 3; + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = jxl_u32(16, 32, 1, 33, 0, 0, 5, 9) << 3; + width = jxl_u32(gb, 16, 32, 1, 33, 0, 0, 5, 9) << 3; } else { /* full height and width coded */ - height = jxl_u32(1, 65, 321, 1345, 6, 8, 10, 12); - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = jxl_u32(gb, 1, 65, 321, 1345, 6, 8, 10, 12); + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = jxl_u32(1, 65, 321, 1345, 6, 8, 10, 12); + width = jxl_u32(gb, 1, 65, 321, 1345, 6, 8, 10, 12); } if (width > 4096 || height > 4096) return -1; @@ -194,13 +195,13 @@ static int jpegxl_read_preview_header(GetBitContext *gb) */ static void jpegxl_skip_bit_depth(GetBitContext *gb) { - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* float samples */ - jxl_u32(32, 16, 24, 1, 0, 0, 0, 6); /* mantissa */ - jxl_bits_skip(4); /* exponent */ + jxl_u32(gb, 32, 16, 24, 1, 0, 0, 0, 6); /* mantissa */ + skip_bits_long(gb, 4); /* exponent */ } else { /* integer samples */ - jxl_u32(8, 10, 12, 1, 0, 0, 0, 6); + jxl_u32(gb, 8, 10, 12, 1, 0, 0, 0, 6); } } @@ -210,34 +211,34 @@ static void jpegxl_skip_bit_depth(GetBitContext *gb) */ static int jpegxl_read_extra_channel_info(GetBitContext *gb, int validate_level) { - int all_default = jxl_bits(1); + int all_default = get_bits1(gb); uint32_t type, name_len = 0; if (!all_default) { - type = jxl_enum(); + type = jxl_enum(gb); if (type > 63) return -1; /* enum types cannot be 64+ */ if (type == FF_JPEGXL_CT_BLACK && validate_level) return -1; jpegxl_skip_bit_depth(gb); - jxl_u32(0, 3, 4, 1, 0, 0, 0, 3); /* dim-shift */ + jxl_u32(gb, 0, 3, 4, 1, 0, 0, 0, 3); /* dim-shift */ /* max of name_len is 1071 = 48 + 2^10 - 1 */ - name_len = jxl_u32(0, 0, 16, 48, 0, 4, 5, 10); + name_len = jxl_u32(gb, 0, 0, 16, 48, 0, 4, 5, 10); } else { type = FF_JPEGXL_CT_ALPHA; } /* skip over the name */ - jxl_bits_skip(8 * name_len); + skip_bits_long(gb, 8 * name_len); if (!all_default && type == FF_JPEGXL_CT_ALPHA) - jxl_bits_skip(1); + skip_bits1(gb); if (type == FF_JPEGXL_CT_SPOT_COLOR) - jxl_bits_skip(16 * 4); + skip_bits_long(gb, 16 * 4); if (type == FF_JPEGXL_CT_CFA) - jxl_u32(1, 0, 3, 19, 0, 2, 4, 8); + jxl_u32(gb, 1, 0, 3, 19, 0, 2, 4, 8); return 0; } @@ -256,40 +257,40 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid if (ret < 0) return ret; - if (jxl_bits(16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) + if (get_bits_long(gb, 16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) return -1; if (jpegxl_read_size_header(gb) < 0 && validate_level) return -1; - all_default = jxl_bits(1); + all_default = get_bits1(gb); if (!all_default) - extra_fields = jxl_bits(1); + extra_fields = get_bits1(gb); if (extra_fields) { - jxl_bits_skip(3); /* orientation */ + skip_bits_long(gb, 3); /* orientation */ /* * intrinstic size * any size header here is valid, but as it * is variable length we have to read it */ - if (jxl_bits(1)) + if (get_bits1(gb)) jpegxl_read_size_header(gb); /* preview header */ - if (jxl_bits(1)) { + if (get_bits1(gb)) { if (jpegxl_read_preview_header(gb) < 0) return -1; } /* animation header */ - if (jxl_bits(1)) { + if (get_bits1(gb)) { animation_offset = get_bits_count(gb); - jxl_u32(100, 1000, 1, 1, 0, 0, 10, 30); - jxl_u32(1, 1001, 1, 1, 0, 0, 8, 10); - jxl_u32(0, 0, 0, 0, 0, 3, 16, 32); - jxl_bits_skip(1); + jxl_u32(gb, 100, 1000, 1, 1, 0, 0, 10, 30); + jxl_u32(gb, 1, 1001, 1, 1, 0, 0, 8, 10); + jxl_u32(gb, 0, 0, 0, 0, 0, 3, 16, 32); + skip_bits_long(gb, 1); } } @@ -297,10 +298,10 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid jpegxl_skip_bit_depth(gb); /* modular_16bit_buffers must equal 1 */ - if (!jxl_bits(1) && validate_level) + if (!get_bits1(gb) && validate_level) return -1; - num_extra_channels = jxl_u32(0, 1, 2, 1, 0, 0, 4, 12); + num_extra_channels = jxl_u32(gb, 0, 1, 2, 1, 0, 0, 4, 12); if (num_extra_channels > 4 && validate_level) return -1; for (uint32_t i = 0; i < num_extra_channels; i++) { @@ -308,85 +309,85 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid return -1; } - xyb_encoded = jxl_bits(1); + xyb_encoded = get_bits1(gb); /* color encoding bundle */ - if (!jxl_bits(1)) { + if (!get_bits1(gb)) { uint32_t color_space; - have_icc_profile = jxl_bits(1); - color_space = jxl_enum(); + have_icc_profile = get_bits1(gb); + color_space = jxl_enum(gb); if (color_space > 63) return -1; if (!have_icc_profile) { if (color_space != FF_JPEGXL_CS_XYB) { - uint32_t white_point = jxl_enum(); + uint32_t white_point = jxl_enum(gb); if (white_point > 63) return -1; if (white_point == FF_JPEGXL_WP_CUSTOM) { /* ux and uy values */ - jxl_u32(0, 524288, 1048576, 2097152, 19, 19, 20, 21); - jxl_u32(0, 524288, 1048576, 2097152, 19, 19, 20, 21); + jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); + jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); } if (color_space != FF_JPEGXL_CS_GRAY) { /* primaries */ - uint32_t primaries = jxl_enum(); + uint32_t primaries = jxl_enum(gb); if (primaries > 63) return -1; if (primaries == FF_JPEGXL_PR_CUSTOM) { /* ux/uy values for r,g,b */ for (int i = 0; i < 6; i++) - jxl_u32(0, 524288, 1048576, 2097152, 19, 19, 20, 21); + jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); } } } /* transfer characteristics */ - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* gamma */ - jxl_bits_skip(24); + skip_bits_long(gb, 24); } else { /* transfer function */ - if (jxl_enum() > 63) + if (jxl_enum(gb) > 63) return -1; } /* rendering intent */ - if (jxl_enum() > 63) + if (jxl_enum(gb) > 63) return -1; } } /* tone mapping bundle */ - if (extra_fields && !jxl_bits(1)) - jxl_bits_skip(16 + 16 + 1 + 16); + if (extra_fields && !get_bits1(gb)) + skip_bits_long(gb, 16 + 16 + 1 + 16); - extensions = jxl_u64(); + extensions = jpegxl_u64(gb); if (extensions) { for (int i = 0; i < 64; i++) { if (extensions & (UINT64_C(1) << i)) - jxl_u64(); + jpegxl_u64(gb); } } } /* default transform */ - if (!jxl_bits(1)) { + if (!get_bits1(gb)) { /* opsin inverse matrix */ - if (xyb_encoded && !jxl_bits(1)) - jxl_bits_skip(16 * 16); + if (xyb_encoded && !get_bits1(gb)) + skip_bits_long(gb, 16 * 16); /* cw_mask and default weights */ - if (jxl_bits(1)) - jxl_bits_skip(16 * 15); - if (jxl_bits(1)) - jxl_bits_skip(16 * 55); - if (jxl_bits(1)) - jxl_bits_skip(16 * 210); + if (get_bits1(gb)) + skip_bits_long(gb, 16 * 15); + if (get_bits1(gb)) + skip_bits_long(gb, 16 * 55); + if (get_bits1(gb)) + skip_bits_long(gb, 16 * 210); } if (!have_icc_profile) { int bits_remaining = 7 - (get_bits_count(gb) - 1) % 8; - if (bits_remaining && jxl_bits(bits_remaining)) + if (bits_remaining && get_bits(gb, bits_remaining)) return -1; } -- 2.40.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 2/5] avformat/jpegxl_probe: check length instead of blindly reading 2023-06-08 14:26 [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 1/5] avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() Leo Izen @ 2023-06-08 14:26 ` Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 3/5] avformat/jpegxl_probe: Forward error codes Leo Izen ` (2 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: Leo Izen @ 2023-06-08 14:26 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Michael Niedermayer From: Michael Niedermayer <michael@niedermayer.cc> Enable the checked bitreader to avoid overread. Also add a few checks in loops and between blocks so we exit instead of continued execution. Alternatively we could add manual checks so that no overread can happen. This would be slightly faster but a bit more work and a bit more fragile Fixes: Out of array accesses Fixes: 59640/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-6584117345779712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/jpegxl_probe.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 1d9c014f19..e15e9eee49 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -21,6 +21,7 @@ #include "jpegxl_probe.h" +#define UNCHECKED_BITSTREAM_READER 0 #define BITSTREAM_READER_LE #include "libavcodec/get_bits.h" @@ -293,6 +294,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid skip_bits_long(gb, 1); } } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (!all_default) { jpegxl_skip_bit_depth(gb); @@ -307,6 +310,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid for (uint32_t i = 0; i < num_extra_channels; i++) { if (jpegxl_read_extra_channel_info(gb, validate_level) < 0) return -1; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } xyb_encoded = get_bits1(gb); @@ -336,8 +341,11 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid return -1; if (primaries == FF_JPEGXL_PR_CUSTOM) { /* ux/uy values for r,g,b */ - for (int i = 0; i < 6; i++) + for (int i = 0; i < 6; i++) { jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + } } } } @@ -363,10 +371,14 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid skip_bits_long(gb, 16 + 16 + 1 + 16); extensions = jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (extensions) { for (int i = 0; i < 64; i++) { if (extensions & (UINT64_C(1) << i)) jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } } } -- 2.40.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 3/5] avformat/jpegxl_probe: Forward error codes 2023-06-08 14:26 [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 1/5] avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 2/5] avformat/jpegxl_probe: check length instead of blindly reading Leo Izen @ 2023-06-08 14:26 ` Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container Leo Izen 4 siblings, 0 replies; 11+ messages in thread From: Leo Izen @ 2023-06-08 14:26 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Michael Niedermayer From: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/jpegxl_probe.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index e15e9eee49..88492cb772 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -261,8 +261,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid if (get_bits_long(gb, 16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) return -1; - if (jpegxl_read_size_header(gb) < 0 && validate_level) - return -1; + if ((ret = jpegxl_read_size_header(gb)) < 0 && validate_level) + return ret; all_default = get_bits1(gb); if (!all_default) @@ -281,8 +281,9 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid /* preview header */ if (get_bits1(gb)) { - if (jpegxl_read_preview_header(gb) < 0) - return -1; + ret = jpegxl_read_preview_header(gb); + if (ret < 0) + return ret; } /* animation header */ @@ -308,8 +309,9 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid if (num_extra_channels > 4 && validate_level) return -1; for (uint32_t i = 0; i < num_extra_channels; i++) { - if (jpegxl_read_extra_channel_info(gb, validate_level) < 0) - return -1; + ret = jpegxl_read_extra_channel_info(gb, validate_level); + if (ret < 0) + return ret; if (get_bits_left(gb) < 1) return AVERROR_INVALIDDATA; } -- 2.40.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks 2023-06-08 14:26 [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes Leo Izen ` (2 preceding siblings ...) 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 3/5] avformat/jpegxl_probe: Forward error codes Leo Izen @ 2023-06-08 14:26 ` Leo Izen 2023-06-09 2:32 ` Anton Khirnov 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container Leo Izen 4 siblings, 1 reply; 11+ messages in thread From: Leo Izen @ 2023-06-08 14:26 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Leo Izen Inlines some ret < 0 checks to look like: if ((ret = func()) < 0) return ret; which clarifies code slightly. Signed-off-by: Leo Izen <leo.izen@gmail.com> --- libavformat/jpegxl_probe.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 88492cb772..b4ab45518a 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -254,8 +254,7 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid uint64_t extensions; int ret; - ret = init_get_bits8(gb, buf, buflen); - if (ret < 0) + if ((ret = init_get_bits8(gb, buf, buflen)) < 0) return ret; if (get_bits_long(gb, 16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) @@ -281,8 +280,7 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid /* preview header */ if (get_bits1(gb)) { - ret = jpegxl_read_preview_header(gb); - if (ret < 0) + if ((ret = jpegxl_read_preview_header(gb)) < 0) return ret; } @@ -309,8 +307,7 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid if (num_extra_channels > 4 && validate_level) return -1; for (uint32_t i = 0; i < num_extra_channels; i++) { - ret = jpegxl_read_extra_channel_info(gb, validate_level); - if (ret < 0) + if ((ret = jpegxl_read_extra_channel_info(gb, validate_level)) < 0) return ret; if (get_bits_left(gb) < 1) return AVERROR_INVALIDDATA; -- 2.40.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks Leo Izen @ 2023-06-09 2:32 ` Anton Khirnov 2023-06-09 2:44 ` James Almer 0 siblings, 1 reply; 11+ messages in thread From: Anton Khirnov @ 2023-06-09 2:32 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: Leo Izen Quoting Leo Izen (2023-06-08 16:26:36) > Inlines some ret < 0 checks to look like: > if ((ret = func()) < 0) > return ret; > > which clarifies code slightly. FWIW I find this variant less readable. But it's your code, so up to you. -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks 2023-06-09 2:32 ` Anton Khirnov @ 2023-06-09 2:44 ` James Almer 2023-06-09 18:36 ` Michael Niedermayer 0 siblings, 1 reply; 11+ messages in thread From: James Almer @ 2023-06-09 2:44 UTC (permalink / raw) To: ffmpeg-devel On 6/8/2023 11:32 PM, Anton Khirnov wrote: > Quoting Leo Izen (2023-06-08 16:26:36) >> Inlines some ret < 0 checks to look like: >> if ((ret = func()) < 0) >> return ret; >> >> which clarifies code slightly. > > FWIW I find this variant less readable. > But it's your code, so up to you. Agree. It's both less readable and more prone to mistakes. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks 2023-06-09 2:44 ` James Almer @ 2023-06-09 18:36 ` Michael Niedermayer 0 siblings, 0 replies; 11+ messages in thread From: Michael Niedermayer @ 2023-06-09 18:36 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 769 bytes --] On Thu, Jun 08, 2023 at 11:44:38PM -0300, James Almer wrote: > On 6/8/2023 11:32 PM, Anton Khirnov wrote: > > Quoting Leo Izen (2023-06-08 16:26:36) > > > Inlines some ret < 0 checks to look like: > > > if ((ret = func()) < 0) > > > return ret; > > > > > > which clarifies code slightly. > > > > FWIW I find this variant less readable. > > But it's your code, so up to you. > > Agree. It's both less readable > and more prone to mistakes. yes, we had bugs with people misplacing a () in exactly this style of checking the return [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB While the State exists there can be no freedom; when there is freedom there will be no State. -- Vladimir Lenin [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container 2023-06-08 14:26 [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes Leo Izen ` (3 preceding siblings ...) 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks Leo Izen @ 2023-06-08 14:26 ` Leo Izen 2023-06-09 2:30 ` Anton Khirnov 4 siblings, 1 reply; 11+ messages in thread From: Leo Izen @ 2023-06-08 14:26 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Leo Izen This should avoid overrunning buffers with jxlp boxes if the size is zero or if the size is so small the box is invalid. Signed-off-by: Leo Izen <leo.izen@gmail.com> --- libavformat/jpegxl_anim_dec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index 6ea6c46d8f..c9e4dcd5fc 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp tag = AV_RL32(b); b += 4; if (tag == MKTAG('j', 'x', 'l', 'p')) { + if (b - input_buffer >= input_len - 4) + break; b += 4; - size -= 4; + if (size) { + if (size < 4) + return AVERROR_INVALIDDATA; + size -= 4; + } } if (tag == MKTAG('j', 'x', 'l', 'c') || tag == MKTAG('j', 'x', 'l', 'p')) { -- 2.40.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container Leo Izen @ 2023-06-09 2:30 ` Anton Khirnov 2023-06-12 1:13 ` Leo Izen 0 siblings, 1 reply; 11+ messages in thread From: Anton Khirnov @ 2023-06-09 2:30 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: Leo Izen Quoting Leo Izen (2023-06-08 16:26:37) > This should avoid overrunning buffers with jxlp boxes if the size is > zero or if the size is so small the box is invalid. > > Signed-off-by: Leo Izen <leo.izen@gmail.com> > --- > libavformat/jpegxl_anim_dec.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c > index 6ea6c46d8f..c9e4dcd5fc 100644 > --- a/libavformat/jpegxl_anim_dec.c > +++ b/libavformat/jpegxl_anim_dec.c > @@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp > tag = AV_RL32(b); > b += 4; > if (tag == MKTAG('j', 'x', 'l', 'p')) { > + if (b - input_buffer >= input_len - 4) > + break; > b += 4; > - size -= 4; > + if (size) { > + if (size < 4) > + return AVERROR_INVALIDDATA; > + size -= 4; > + } This looks like it should be using bytestream2. Is there a good reason it is not? -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container 2023-06-09 2:30 ` Anton Khirnov @ 2023-06-12 1:13 ` Leo Izen 0 siblings, 0 replies; 11+ messages in thread From: Leo Izen @ 2023-06-12 1:13 UTC (permalink / raw) To: FFmpeg development discussions and patches On 6/8/23 22:30, Anton Khirnov wrote: > Quoting Leo Izen (2023-06-08 16:26:37) >> This should avoid overrunning buffers with jxlp boxes if the size is >> zero or if the size is so small the box is invalid. >> >> Signed-off-by: Leo Izen <leo.izen@gmail.com> >> --- >> libavformat/jpegxl_anim_dec.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c >> index 6ea6c46d8f..c9e4dcd5fc 100644 >> --- a/libavformat/jpegxl_anim_dec.c >> +++ b/libavformat/jpegxl_anim_dec.c >> @@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp >> tag = AV_RL32(b); >> b += 4; >> if (tag == MKTAG('j', 'x', 'l', 'p')) { >> + if (b - input_buffer >= input_len - 4) >> + break; >> b += 4; >> - size -= 4; >> + if (size) { >> + if (size < 4) >> + return AVERROR_INVALIDDATA; >> + size -= 4; >> + } > > This looks like it should be using bytestream2. Is there a good reason > it is not? > No particular reason, I'll send an updated patch using it. Also, I pushed the first three patches that michaelni authored, but not the 4th or this one. - Leo Izen _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-06-12 1:14 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-06-08 14:26 [FFmpeg-devel] [PATCH 0/5] JPEG XL Animation Changes Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 1/5] avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 2/5] avformat/jpegxl_probe: check length instead of blindly reading Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 3/5] avformat/jpegxl_probe: Forward error codes Leo Izen 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 4/5] avformat/jpegxl_probe: inline various ret < 0 checks Leo Izen 2023-06-09 2:32 ` Anton Khirnov 2023-06-09 2:44 ` James Almer 2023-06-09 18:36 ` Michael Niedermayer 2023-06-08 14:26 ` [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container Leo Izen 2023-06-09 2:30 ` Anton Khirnov 2023-06-12 1:13 ` Leo Izen
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git