Re: [FFmpeg-devel] [PATCH] avcodec/cbs_h2645: Check NAL space

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/cbs_h2645: Check NAL space
Date: Tue, 23 Apr 2024 01:49:24 +0200
Message-ID: <20240422234924.GE6420@pb2> (raw)
In-Reply-To: <a4cf4f80-8ade-472d-963b-3b481e433ea7@gmail.com>

[-- Attachment #1.1: Type: text/plain, Size: 2967 bytes --]

On Mon, Apr 22, 2024 at 06:07:42PM -0300, James Almer wrote:
> On 4/22/2024 6:01 PM, Michael Niedermayer wrote:
> > On Mon, Apr 22, 2024 at 05:46:10PM -0300, James Almer wrote:
> > > On 4/22/2024 5:40 PM, Mark Thompson wrote:
> > > > On 22/04/2024 02:31, Michael Niedermayer wrote:
> > > > > Found-by-reviewing: CID1419833 Untrusted loop bound
> > > > > 
> > > > > Sponsored-by: Sovereign Tech Fund
> > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > > > ---
> > > > >    libavcodec/cbs_h2645.c | 4 ++++
> > > > >    1 file changed, 4 insertions(+)
> > > > > 
> > > > > diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
> > > > > index fe2e383ff33..1a45d424bae 100644
> > > > > --- a/libavcodec/cbs_h2645.c
> > > > > +++ b/libavcodec/cbs_h2645.c
> > > > > @@ -709,7 +709,11 @@ static int cbs_h2645_split_fragment(CodedBitstreamContext *ctx,
> > > > >                start = bytestream2_tell(&gbc);
> > > > >                for(i = 0; i < num_nalus; i++) {
> > > > > +                if (bytestream2_get_bytes_left(&gbc) < 2)
> > > > > +                    return AVERROR_INVALIDDATA;
> > > > >                    size = bytestream2_get_be16(&gbc);
> > > > > +                if (bytestream2_get_bytes_left(&gbc) < size)
> > > > > +                    return AVERROR_INVALIDDATA;
> > > > >                    bytestream2_skip(&gbc, size);
> > > > >                }
> > > > >                end = bytestream2_tell(&gbc);
> > > > 
> > > > Seems fair.
> > > > 
> > > > The problem looks more general with missing bounds checks in all the H.266 code around this, though?  Compare with H.26[45], which have checks on all the reads - seems like H.266 should be doing that.
> > > > 
> > > > Thanks,
> > > 
> > > Not against this approach, but since the bytestream2_get_* functions return
> > > 0, never overread the buffer or move the internal pointer, wouldn't it be
> > > enough to just ensure end > start?
> > > Particularly in ff_h2645_packet_split(), we can return an error if length
> > > (in this case being set to end - start) is < 4.
> > 
> > The patch adds the same kind of check as are used in the AV_CODEC_ID_HEVC
> > case earlier in the file already
> > 
> > I think what is done should approximately stay in sync
> 
> fwiw, better not add an initial length check to ff_h2645_packet_split() like
> i suggested, as it could potentially break samples that would otherwise
> decode just fine. It setting nb_nals to 0 should be enough.

iam not 100% i parsed that text correctly

> 
> So this patch is fine. Further bytestream2_get_bytes_left() checks can be
> added too, namely one that checks the buffer is at least the smallest size a
> vvcC box can be.

ok will apply patch

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".