From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 7/7] avcodec/cbs_jpeg: Try to move the read entity to one side in a test
Date: Fri, 3 May 2024 00:03:57 +0200
Message-ID: <20240502220357.GI6420@pb2> (raw)
In-Reply-To: <AS8P250MB0744E052839BACA34D174D448F182@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM>
[-- Attachment #1.1: Type: text/plain, Size: 2119 bytes --]
On Thu, May 02, 2024 at 08:58:17AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: CID1439654 Untrusted pointer read
> >
> > Sponsored-by: Sovereign Tech Fund
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/cbs_jpeg.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c
> > index b1b58dcd65e..406147c082c 100644
> > --- a/libavcodec/cbs_jpeg.c
> > +++ b/libavcodec/cbs_jpeg.c
> > @@ -146,13 +146,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
> > }
> > } else {
> > i = start;
> > - if (i + 2 > frag->data_size) {
> > + if (i > frag->data_size - 2) {
> > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: "
> > "truncated at %02x marker.\n", marker);
> > return AVERROR_INVALIDDATA;
> > }
> > length = AV_RB16(frag->data + i);
> > - if (i + length > frag->data_size) {
> > + if (length > frag->data_size - i) {
> > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: "
> > "truncated at %02x marker segment.\n", marker);
> > return AVERROR_INVALIDDATA;
>
> You should always mention when you are not fixing bugs in our code, but
> rather intend to apply workaround for coverity crazyness (i.e. the
> requirement that reading values in non-native endianness needs to be
> sanitized).
writing code like
if (i + length > frag->data_size)
is IMHO not proper and that has nothing to do with coverity
the reason why this is not proper is that i + length could in
principle overflow. It depends on teh whole loop and calling code
if that is possible or not.
to check length, length should be alone on one side of the check
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
It is what and why we do it that matters, not just one of them.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-05-02 22:04 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-02 0:41 [FFmpeg-devel] [PATCH 1/7] avcodec/av1dec: bit_depth cannot be another values than 8, 10, 12 Michael Niedermayer
2024-05-02 0:41 ` [FFmpeg-devel] [PATCH 2/7] avcodec/av1dec: initialize ret in av1_receive_frame_internal() Michael Niedermayer
2024-05-02 0:55 ` James Almer
2024-05-02 7:12 ` Andreas Rheinhardt
2024-05-02 21:29 ` Michael Niedermayer
2024-05-02 21:34 ` Andreas Rheinhardt
2024-05-02 21:41 ` Michael Niedermayer
2024-05-02 0:41 ` [FFmpeg-devel] [PATCH 3/7] avcodec/avfft: Remove dead code Michael Niedermayer
2024-05-02 1:21 ` Lynne
2024-05-02 1:28 ` Michael Niedermayer
2024-05-02 0:41 ` [FFmpeg-devel] [PATCH 4/7] avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 Michael Niedermayer
2024-05-02 8:25 ` Andreas Rheinhardt
2024-05-02 21:32 ` Michael Niedermayer
2024-05-02 0:41 ` [FFmpeg-devel] [PATCH 5/7] avcodec/avs3_parser: Check the return value of init_get_bits8() Michael Niedermayer
2024-05-02 8:28 ` Andreas Rheinhardt
2024-05-02 21:53 ` Michael Niedermayer
2024-05-02 0:41 ` [FFmpeg-devel] [PATCH 6/7] avcodec/cbs_av1: Avoid shift overflow Michael Niedermayer
2024-05-09 1:33 ` Michael Niedermayer
2024-05-02 0:41 ` [FFmpeg-devel] [PATCH 7/7] avcodec/cbs_jpeg: Try to move the read entity to one side in a test Michael Niedermayer
2024-05-02 6:58 ` Andreas Rheinhardt
2024-05-02 22:03 ` Michael Niedermayer [this message]
2024-07-02 18:29 ` Michael Niedermayer
2024-05-02 0:56 ` [FFmpeg-devel] [PATCH 1/7] avcodec/av1dec: bit_depth cannot be another values than 8, 10, 12 James Almer
2024-05-02 22:12 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240502220357.GI6420@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git