From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 0922145E13 for ; Mon, 12 Jun 2023 13:23:11 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 209DA68C3E6; Mon, 12 Jun 2023 16:23:08 +0300 (EEST) Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A354D68BEBA for ; Mon, 12 Jun 2023 16:23:01 +0300 (EEST) Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-56d42add116so56357b3.0 for ; Mon, 12 Jun 2023 06:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686576180; x=1689168180; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lhkSIRrccTW/T0mmA3FrrK+7suzEL9vezQgP+WHd2Lo=; b=ZVQaSmcuQ8MvjTLwPft9rXJ0BX3UM/mPxbKV6evP3QGBTdHliexGbhYNiCrMgbeD37 AMq2Tsnxn7sareInUUYg+4BHf/DHYhc9r3ye3a07eWEeUA0ECJuyyS3dN/pAGT8W1gyI i//BxoaqpXRt6llqkoV7Jm6XR+Hv+x4b9OuL8wDcsQ8sbGA6DsXHD96u5wgRH6UHnF2E N3/ZIgLuf3TSvzvDTrYLvtktOoVtK53w1K0tcd93sU53M/3s7/YYTAoZOvfzEmx7GAZU QuKkcP6G0HZMrnVR0KQ6cfQENrAjVULCOJfcrAy9IrHXZzRxbexayDfTCc1j6g142XKn B0ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686576180; x=1689168180; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lhkSIRrccTW/T0mmA3FrrK+7suzEL9vezQgP+WHd2Lo=; b=UdxSazqUP7uS6DpCo0uWy7MaWvJeZtHAHE/qGOmrQOpE33ZfcZMSVtCZrq7FEw797+ tQ8UA7VkoTqlnLUVhIU+HzJXNu1vlFlzQQKfl1zcKLkoIGQMzc8bNrbAz8HdjBnw9iu6 v2SFu7GNUSayPbzf4sQ4/WKGvthqO+KBBTDrbYCLQidxHsPuK9OKGj5+G2hwfkd0o+vS ajXVUqGk498iTaOy4AUN6UM4HCkqFEyO3wkIfCQIdJJsnHzE/Jube2Et3/HPLfdrrN1n RwscSVQTf2jbkiDdkP6yaP0QvUo20lnVmyUcqZVKD5Mpn6/yqBbLxZylqTvWZY65pRqy GhJg== X-Gm-Message-State: AC+VfDwF18rOnL9V2KQtp1WH6e8WH1jTr+Zvdfe1QoeDqPIm7DQdQOal MGeYkGd8Jmet4bYDGUpxv593giwH2dc= X-Google-Smtp-Source: ACHHUZ7WbDjjjRZK39uvcOf4IZfayOAfVhh0c4OSaY1in9EFNXTdwTJjh8V3vyR7y8HitGmQ7osurA== X-Received: by 2002:a81:1711:0:b0:561:1c43:c4c2 with SMTP id 17-20020a811711000000b005611c43c4c2mr6273024ywx.5.1686576179776; Mon, 12 Jun 2023 06:22:59 -0700 (PDT) Received: from gauss.local (c-98-224-219-15.hsd1.mi.comcast.net. [98.224.219.15]) by smtp.gmail.com with ESMTPSA id d5-20020a816805000000b00565374c5962sm2519022ywc.98.2023.06.12.06.22.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jun 2023 06:22:59 -0700 (PDT) From: Leo Izen To: ffmpeg-devel@ffmpeg.org Date: Mon, 12 Jun 2023 09:22:56 -0400 Message-ID: <20230612132256.84549-1-leo.izen@gmail.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Leo Izen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: This switches the jpegxl_collect_codestream_header function to use avcodec/bytestream2, which better enforces barriers, and should avoid overrunning buffers with jxlp boxes if the size is zero or if the size is so small the box is invalid. Signed-off-by: Leo Izen --- libavformat/jpegxl_anim_dec.c | 56 +++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index 6ea6c46d8f..ec400c955c 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -28,6 +28,7 @@ #include #include +#include "libavcodec/bytestream.h" #define BITSTREAM_READER_LE #include "libavcodec/get_bits.h" @@ -48,62 +49,65 @@ typedef struct JXLAnimDemuxContext { * returns the number of bytes consumed from input, may be greater than input_len * if the input doesn't end on an ISOBMFF-box boundary */ -static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int input_len, uint8_t *buffer, int buflen, int *copied) { - const uint8_t *b = input_buffer; +static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int input_len, + uint8_t *buffer, int buflen, int *copied) { + GetByteContext gb; *copied = 0; + bytestream2_init(&gb, input_buffer, input_len); while (1) { uint64_t size; uint32_t tag; int head_size = 8; - if (b - input_buffer >= input_len - 16) + if (bytestream2_get_bytes_left(&gb) < 16) break; - size = AV_RB32(b); - b += 4; + size = bytestream2_get_be32(&gb); if (size == 1) { - size = AV_RB64(b); - b += 8; + size = bytestream2_get_be64(&gb); head_size = 16; } /* invalid ISOBMFF size */ - if (size > 0 && size <= head_size) + if (size && size <= head_size) return AVERROR_INVALIDDATA; - if (size > 0) + if (size) size -= head_size; - tag = AV_RL32(b); - b += 4; + tag = bytestream2_get_le32(&gb); if (tag == MKTAG('j', 'x', 'l', 'p')) { - b += 4; - size -= 4; + if (bytestream2_get_bytes_left(&gb) < 4) + break; + bytestream2_skip(&gb, 4); + if (size) { + if (size <= 4) + return AVERROR_INVALIDDATA; + size -= 4; + } } + /* + * size = 0 means "until EOF". this is legal but uncommon + * here we just set it to the remaining size of the probe buffer + */ + if (!size) + size = bytestream2_get_bytes_left(&gb); if (tag == MKTAG('j', 'x', 'l', 'c') || tag == MKTAG('j', 'x', 'l', 'p')) { - /* - * size = 0 means "until EOF". this is legal but uncommon - * here we just set it to the remaining size of the probe buffer - * which at this point should always be nonnegative - */ - if (size == 0 || size > input_len - (b - input_buffer)) - size = input_len - (b - input_buffer); - if (size > buflen - *copied) size = buflen - *copied; /* * arbitrary chunking of the payload makes this memcpy hard to avoid * in practice this will only be performed one or two times at most */ - memcpy(buffer + *copied, b, size); - *copied += size; + *copied += bytestream2_get_buffer(&gb, buffer + *copied, size); + } else { + bytestream2_skip(&gb, size); } - b += size; - if (b >= input_buffer + input_len || *copied >= buflen) + if (bytestream2_get_bytes_left(&gb) <= 0 || *copied >= buflen) break; } - return b - input_buffer; + return bytestream2_tell(&gb); } static int jpegxl_anim_probe(const AVProbeData *p) -- 2.41.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".