From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 7B434461F5
	for <ffmpegdev@gitmailbox.com>; Thu,  8 Jun 2023 14:27:34 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 148E268C308;
	Thu,  8 Jun 2023 17:26:52 +0300 (EEST)
Received: from mail-oa1-f48.google.com (mail-oa1-f48.google.com
 [209.85.160.48])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id ED0E068C31C
 for <ffmpeg-devel@ffmpeg.org>; Thu,  8 Jun 2023 17:26:43 +0300 (EEST)
Received: by mail-oa1-f48.google.com with SMTP id
 586e51a60fabf-1a2dd615ddcso69412fac.0
 for <ffmpeg-devel@ffmpeg.org>; Thu, 08 Jun 2023 07:26:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1686234402; x=1688826402;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=qH7qDCfOBbDDfJXOtXNxTIYw4pquCnC4jVw/+w4a5EA=;
 b=GFsJwT1RKQORR4zsMNj6HnehlNdUCwXSdDWjRARvWl404ctxnQ9T8Nh+M6dR+zPwky
 VZgRIwPEYRB0obDDtwPEjuPvrMpUmS23qHSgG+4ydeVCySL30BE3YbnrtM+yPqizBUqP
 ldez7GZEkzWOgNiUc8pxJkIuowJ4mEeYRc2eGFF9LCYPpGm0wbsJft8X8l9RDfdIZo7s
 NgSJkM8aU/SJuIUWY2U7RDyIuOcGpFltpWo1SZlztRE83TcOy5URZOd3Vf/T5oESdw4l
 O8NacHlxjUU6av13/qk6zjsPA1f22/Y2sAGE30JWRKKcHJgrTVDrIEzXGW2+tTRvlpJg
 VcUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1686234402; x=1688826402;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=qH7qDCfOBbDDfJXOtXNxTIYw4pquCnC4jVw/+w4a5EA=;
 b=FW5F6XfQE+9HsLb62owPS2ZVCAt5esNgCbd7VnmYSyOjahz4tu/899HOiTjcjSKKBv
 kazLuyqOoY//kBclQgTyrll2kY94nuk5OJ4u7cpCfN4SqbSfsulXTXByT3mi80TajvnJ
 p9HHYNGdt4Qcd4fVAgjjNNxy4WETIOQQKjjpYXhJ7xxJgNilBRamTirb5s2faj7jQu+9
 +iz/WVYIyFBLzvUDeVChW3317cBfc+c4a6eoRR3YLz++4ivBHwEvu+h7EZNVr48Vd1Pb
 1WXNKXk7BaqM/5MjIGXreKVUQ8hAOeSIJDMxoLPUYPZMb2dpvZdLKWUgpy6qe2B/RVLA
 wkYg==
X-Gm-Message-State: AC+VfDyOWXtZjyQlIiRiAKJ53Uw044mwHeHltXHoGESI4u+LDTWx7Kic
 YV7xhQeAP0zxOw8MvLQ/dkhoUYTSCSU=
X-Google-Smtp-Source: ACHHUZ4IepoNVTo4lIyqn4P9tmRY6Njy0KxWB0gbNOkH2PCyk+SectDgla1kJTbjh1ZNx2T8Ixrh1g==
X-Received: by 2002:a05:6870:f5aa:b0:19f:5cb8:b5fa with SMTP id
 eh42-20020a056870f5aa00b0019f5cb8b5famr4150010oab.3.1686234402239; 
 Thu, 08 Jun 2023 07:26:42 -0700 (PDT)
Received: from gauss.local (c-98-224-219-15.hsd1.mi.comcast.net.
 [98.224.219.15]) by smtp.gmail.com with ESMTPSA id
 b206-20020a0dd9d7000000b0056943d9cf8fsm414589ywe.9.2023.06.08.07.26.41
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 08 Jun 2023 07:26:42 -0700 (PDT)
From: Leo Izen <leo.izen@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu,  8 Jun 2023 10:26:37 -0400
Message-Id: <20230608142637.45033-6-leo.izen@gmail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230608142637.45033-1-leo.izen@gmail.com>
References: <20230608142637.45033-1-leo.izen@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun
 with jxlp boxes in container
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Leo Izen <leo.izen@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20230608142637.45033-6-leo.izen@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

This should avoid overrunning buffers with jxlp boxes if the size is
zero or if the size is so small the box is invalid.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
---
 libavformat/jpegxl_anim_dec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
index 6ea6c46d8f..c9e4dcd5fc 100644
--- a/libavformat/jpegxl_anim_dec.c
+++ b/libavformat/jpegxl_anim_dec.c
@@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp
         tag = AV_RL32(b);
         b += 4;
         if (tag == MKTAG('j', 'x', 'l', 'p')) {
+            if (b - input_buffer >= input_len - 4)
+                break;
             b += 4;
-            size -= 4;
+            if (size) {
+                if (size < 4)
+                    return AVERROR_INVALIDDATA;
+                size -= 4;
+            }
         }
 
         if (tag == MKTAG('j', 'x', 'l', 'c') || tag == MKTAG('j', 'x', 'l', 'p')) {
-- 
2.40.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".