From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 7CABA4A1AF for ; Mon, 22 Apr 2024 21:01:43 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 01BF968D378; Tue, 23 Apr 2024 00:01:41 +0300 (EEST) Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5568C68CEBF for ; Tue, 23 Apr 2024 00:01:34 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id A12101BF205 for ; Mon, 22 Apr 2024 21:01:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1713819693; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fO4BZA3sbOf/j7S+Wps7c5IJJIZUaKqC4l3EVXvrAeM=; b=A4OxMbVYT2mOdJa/oNNy3p+gIK8+JV7XcIQFtnU3aPj7ml3mRoHc531KEGtAGOZr0nI/sC 44/+GjAhvIg3vLZlHEtaf11UN/aG7rk+GWhvJQ+thN+XAlBXR/YLv07gE2X09DfWGr2NHb TOWFiFTtewGVU3OQ7zQFdnWro7zuisECl79uXA4wfVySW25WBgdG5KlbLLMx/XEPsfE8Ly 1bjawbSL+6HCz+/Rb6nDojf6YtbLOlD8WT0Lm758yWFrJCx90DMAbv71F/0fwbt+AB9s0a nI0jpxF7se8C2fN9Uiw0qhdsyCbo5Tee7mjtQ5rh2au7jMAty2hw6e/CBqdKdw== Date: Mon, 22 Apr 2024 23:01:32 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240422210132.GD6420@pb2> References: <20240422013150.458103-1-michael@niedermayer.cc> <67b2f0ee-9465-4b76-ad15-be68d9faa987@jkqxz.net> <3ed83124-4f7e-4ed6-8e3c-3a97852617b7@gmail.com> MIME-Version: 1.0 In-Reply-To: <3ed83124-4f7e-4ed6-8e3c-3a97852617b7@gmail.com> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH] avcodec/cbs_h2645: Check NAL space X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============5915741162583174708==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============5915741162583174708== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="akGl2rwlTfUXuMtT" Content-Disposition: inline --akGl2rwlTfUXuMtT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 22, 2024 at 05:46:10PM -0300, James Almer wrote: > On 4/22/2024 5:40 PM, Mark Thompson wrote: > > On 22/04/2024 02:31, Michael Niedermayer wrote: > > > Found-by-reviewing: CID1419833 Untrusted loop bound > > >=20 > > > Sponsored-by: Sovereign Tech Fund > > > Signed-off-by: Michael Niedermayer > > > --- > > > libavcodec/cbs_h2645.c | 4 ++++ > > > 1 file changed, 4 insertions(+) > > >=20 > > > diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c > > > index fe2e383ff33..1a45d424bae 100644 > > > --- a/libavcodec/cbs_h2645.c > > > +++ b/libavcodec/cbs_h2645.c > > > @@ -709,7 +709,11 @@ static int cbs_h2645_split_fragment(CodedBitstre= amContext *ctx, > > > start =3D bytestream2_tell(&gbc); > > > for(i =3D 0; i < num_nalus; i++) { > > > + if (bytestream2_get_bytes_left(&gbc) < 2) > > > + return AVERROR_INVALIDDATA; > > > size =3D bytestream2_get_be16(&gbc); > > > + if (bytestream2_get_bytes_left(&gbc) < size) > > > + return AVERROR_INVALIDDATA; > > > bytestream2_skip(&gbc, size); > > > } > > > end =3D bytestream2_tell(&gbc); > >=20 > > Seems fair. > >=20 > > The problem looks more general with missing bounds checks in all the H.= 266 code around this, though? Compare with H.26[45], which have checks on = all the reads - seems like H.266 should be doing that. > >=20 > > Thanks, >=20 > Not against this approach, but since the bytestream2_get_* functions retu= rn > 0, never overread the buffer or move the internal pointer, wouldn't it be > enough to just ensure end > start? > Particularly in ff_h2645_packet_split(), we can return an error if length > (in this case being set to end - start) is < 4. The patch adds the same kind of check as are used in the AV_CODEC_ID_HEVC case earlier in the file already I think what is done should approximately stay in sync thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin --akGl2rwlTfUXuMtT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZibQJQAKCRBhHseHBAsP q3G4AJsF0/fKsSUsuL2epcwY26Ixd+E7sQCfdSHEo122nZtC7OJEmi45EqFjOzM= =dQA5 -----END PGP SIGNATURE----- --akGl2rwlTfUXuMtT-- --===============5915741162583174708== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============5915741162583174708==--