* [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
@ 2023-06-22 0:30 Michael Niedermayer
2023-06-24 19:14 ` Andreas Rheinhardt
0 siblings, 1 reply; 6+ messages in thread
From: Michael Niedermayer @ 2023-06-22 0:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
Found-by: Catena cyber <contact@catenacyber.fr>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index efc28b8918..db39e698ab 100644
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
for (; pc->overread > 0; pc->overread--)
pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
- if (next > *buf_size)
+ if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
return AVERROR(EINVAL);
/* flush remaining if EOF */
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
2023-06-22 0:30 [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index Michael Niedermayer
@ 2023-06-24 19:14 ` Andreas Rheinhardt
2023-06-24 20:06 ` Michael Niedermayer
2023-06-24 20:13 ` Reimar Döffinger
0 siblings, 2 replies; 6+ messages in thread
From: Andreas Rheinhardt @ 2023-06-24 19:14 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: out of array access
> Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
>
> Found-by: Catena cyber <contact@catenacyber.fr>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/parser.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/parser.c b/libavcodec/parser.c
> index efc28b8918..db39e698ab 100644
> --- a/libavcodec/parser.c
> +++ b/libavcodec/parser.c
> @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> for (; pc->overread > 0; pc->overread--)
> pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
>
> - if (next > *buf_size)
> + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
> return AVERROR(EINVAL);
>
> /* flush remaining if EOF */
Could you provide more details about this? E.g. which parser is this
about at all? And how can we actually come in this situation at all?
(Whenever I looked at ff_combine_frame() I do not really understand what
its invariants are supposed to be.)
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
2023-06-24 19:14 ` Andreas Rheinhardt
@ 2023-06-24 20:06 ` Michael Niedermayer
2023-06-24 20:13 ` Reimar Döffinger
1 sibling, 0 replies; 6+ messages in thread
From: Michael Niedermayer @ 2023-06-24 20:06 UTC (permalink / raw)
To: FFmpeg development discussions and patches; +Cc: Reimar Döffinger
[-- Attachment #1.1: Type: text/plain, Size: 1773 bytes --]
On Sat, Jun 24, 2023 at 09:14:53PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
> >
> > Found-by: Catena cyber <contact@catenacyber.fr>
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/parser.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/parser.c b/libavcodec/parser.c
> > index efc28b8918..db39e698ab 100644
> > --- a/libavcodec/parser.c
> > +++ b/libavcodec/parser.c
> > @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> > for (; pc->overread > 0; pc->overread--)
> > pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
> >
> > - if (next > *buf_size)
> > + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
> > return AVERROR(EINVAL);
> >
> > /* flush remaining if EOF */
>
> Could you provide more details about this? E.g. which parser is this
> about at all? And how can we actually come in this situation at all?
> (Whenever I looked at ff_combine_frame() I do not really understand what
> its invariants are supposed to be.)
truehd with a malloc() failure
and i dont think it should happen but, it felt like a good idea to check
also *buf_size should probably be reset to 0, there was a patch about that
from reimar (in CC)
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Frequently ignored answer#1 FFmpeg bugs should be sent to our bugtracker. User
questions about the command line tools should be sent to the ffmpeg-user ML.
And questions about how to use libav* should be sent to the libav-user ML.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
2023-06-24 19:14 ` Andreas Rheinhardt
2023-06-24 20:06 ` Michael Niedermayer
@ 2023-06-24 20:13 ` Reimar Döffinger
2024-03-12 22:13 ` Michael Niedermayer
2024-03-13 0:16 ` James Almer
1 sibling, 2 replies; 6+ messages in thread
From: Reimar Döffinger @ 2023-06-24 20:13 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Hi!
> On 24 Jun 2023, at 21:14, Andreas Rheinhardt <andreas.rheinhardt@outlook.com> wrote:
>
> Michael Niedermayer:
>> Fixes: out of array access
>> Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
>>
>> Found-by: Catena cyber <contact@catenacyber.fr>
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavcodec/parser.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/parser.c b/libavcodec/parser.c
>> index efc28b8918..db39e698ab 100644
>> --- a/libavcodec/parser.c
>> +++ b/libavcodec/parser.c
>> @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
>> for (; pc->overread > 0; pc->overread--)
>> pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
>>
>> - if (next > *buf_size)
>> + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
>> return AVERROR(EINVAL);
>>
>> /* flush remaining if EOF */
>
> Could you provide more details about this? E.g. which parser is this
> about at all? And how can we actually come in this situation at all?
> (Whenever I looked at ff_combine_frame() I do not really understand what
> its invariants are supposed to be.)
Yeah, when I looked at it I also felt like it has all kinds of
assumptions/preconditions without which it will break, but those
are not documented. Not really reviewable for correctness.
The change I proposed to fix the same issue was as below. But
note that it is not based on actual understanding, just that generally
index, overread_index and buf_size are updated together so I
thought it suspicious buf_size was not updated on realloc failure.
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -252,6 +252,7 @@ int ff_combine_frame(ParseContext *pc, int next,
AV_INPUT_BUFFER_PADDING_SIZE);
if (!new_buffer) {
av_log(NULL, AV_LOG_ERROR, "Failed to reallocate parser buffer to %d\n", next + pc->index + AV_INPUT_BUFFER_PADDING_SIZE);
+ *buf_size =
pc->overread_index =
pc->index = 0;
return AVERROR(ENOMEM);
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
2023-06-24 20:13 ` Reimar Döffinger
@ 2024-03-12 22:13 ` Michael Niedermayer
2024-03-13 0:16 ` James Almer
1 sibling, 0 replies; 6+ messages in thread
From: Michael Niedermayer @ 2024-03-12 22:13 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 2610 bytes --]
On Sat, Jun 24, 2023 at 10:13:48PM +0200, Reimar Döffinger wrote:
> Hi!
>
> > On 24 Jun 2023, at 21:14, Andreas Rheinhardt <andreas.rheinhardt@outlook.com> wrote:
> >
> > Michael Niedermayer:
> >> Fixes: out of array access
> >> Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
> >>
> >> Found-by: Catena cyber <contact@catenacyber.fr>
> >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> ---
> >> libavcodec/parser.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavcodec/parser.c b/libavcodec/parser.c
> >> index efc28b8918..db39e698ab 100644
> >> --- a/libavcodec/parser.c
> >> +++ b/libavcodec/parser.c
> >> @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> >> for (; pc->overread > 0; pc->overread--)
> >> pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
> >>
> >> - if (next > *buf_size)
> >> + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
> >> return AVERROR(EINVAL);
> >>
> >> /* flush remaining if EOF */
> >
> > Could you provide more details about this? E.g. which parser is this
> > about at all? And how can we actually come in this situation at all?
> > (Whenever I looked at ff_combine_frame() I do not really understand what
> > its invariants are supposed to be.)
>
> Yeah, when I looked at it I also felt like it has all kinds of
> assumptions/preconditions without which it will break, but those
> are not documented. Not really reviewable for correctness.
> The change I proposed to fix the same issue was as below. But
> note that it is not based on actual understanding, just that generally
> index, overread_index and buf_size are updated together so I
> thought it suspicious buf_size was not updated on realloc failure.
> --- a/libavcodec/parser.c
> +++ b/libavcodec/parser.c
> @@ -252,6 +252,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> AV_INPUT_BUFFER_PADDING_SIZE);
> if (!new_buffer) {
> av_log(NULL, AV_LOG_ERROR, "Failed to reallocate parser buffer to %d\n", next + pc->index + AV_INPUT_BUFFER_PADDING_SIZE);
> + *buf_size =
> pc->overread_index =
> pc->index = 0;
> return AVERROR(ENOMEM);
It appears neither of the 2 fixes was applied
this is not ideal
I will apply reimars patch
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
2023-06-24 20:13 ` Reimar Döffinger
2024-03-12 22:13 ` Michael Niedermayer
@ 2024-03-13 0:16 ` James Almer
1 sibling, 0 replies; 6+ messages in thread
From: James Almer @ 2024-03-13 0:16 UTC (permalink / raw)
To: ffmpeg-devel
On 6/24/2023 5:13 PM, Reimar Döffinger wrote:
> Hi!
>
>> On 24 Jun 2023, at 21:14, Andreas Rheinhardt <andreas.rheinhardt@outlook.com> wrote:
>>
>> Michael Niedermayer:
>>> Fixes: out of array access
>>> Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
>>>
>>> Found-by: Catena cyber <contact@catenacyber.fr>
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavcodec/parser.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/parser.c b/libavcodec/parser.c
>>> index efc28b8918..db39e698ab 100644
>>> --- a/libavcodec/parser.c
>>> +++ b/libavcodec/parser.c
>>> @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
>>> for (; pc->overread > 0; pc->overread--)
>>> pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
>>>
>>> - if (next > *buf_size)
>>> + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
>>> return AVERROR(EINVAL);
>>>
>>> /* flush remaining if EOF */
>>
>> Could you provide more details about this? E.g. which parser is this
>> about at all? And how can we actually come in this situation at all?
>> (Whenever I looked at ff_combine_frame() I do not really understand what
>> its invariants are supposed to be.)
>
> Yeah, when I looked at it I also felt like it has all kinds of
> assumptions/preconditions without which it will break, but those
> are not documented. Not really reviewable for correctness.
> The change I proposed to fix the same issue was as below. But
> note that it is not based on actual understanding, just that generally
> index, overread_index and buf_size are updated together so I
> thought it suspicious buf_size was not updated on realloc failure.
> --- a/libavcodec/parser.c
> +++ b/libavcodec/parser.c
> @@ -252,6 +252,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> AV_INPUT_BUFFER_PADDING_SIZE);
> if (!new_buffer) {
> av_log(NULL, AV_LOG_ERROR, "Failed to reallocate parser buffer to %d\n", next + pc->index + AV_INPUT_BUFFER_PADDING_SIZE);
> + *buf_size =
> pc->overread_index =
> pc->index = 0;
> return AVERROR(ENOMEM);
*buf_size is, by most parsers, the value returned to the caller if
ff_combine_frame() fails. This change means that they will now return 0
on realloc failure, which is interpreted as 0 bytes having been read
from the input. Is this desirable and/or intended?
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-03-13 0:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-22 0:30 [FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index Michael Niedermayer
2023-06-24 19:14 ` Andreas Rheinhardt
2023-06-24 20:06 ` Michael Niedermayer
2023-06-24 20:13 ` Reimar Döffinger
2024-03-12 22:13 ` Michael Niedermayer
2024-03-13 0:16 ` James Almer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git