From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 00F6849B60 for ; Thu, 2 May 2024 22:04:09 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 361C568D895; Fri, 3 May 2024 01:04:06 +0300 (EEST) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9427468D807 for ; Fri, 3 May 2024 01:03:59 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id BFDCEE0002 for ; Thu, 2 May 2024 22:03:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714687438; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=e/i1QRnwjHAGlRAML19qPVvoh+5Wi3s0sBcn4Wx6psY=; b=HG4frF/9c8Saq5d2yNtRsmeTrU+g6oRep332QTExtkDPeUS71Fny1h/gphOhwzrCiWP6CY izEKou113ErbS6haclen5k2pM5tLYmaIRU8tJAb3xJT6OorvJRsw9dvYlVX9vlMBsEi7DA W6D9VEhtfgP0ol/1cmK54bjukd12sJsrdFcyd777MGv6al1DMzB4wvEUsTPJjf/rJTPU+l 5DCYrBQSxLuFPPXfreg/b47LGnxtAQrJsdJ26C6OXdupxMchbTNilnCiWwMCKHjGzPrDac NQ9ejX1C6kcJ5tCFjvPlC5jPLLrOA+Q2Id/4/bUTasoIEOUsaKbURpPKMU0uxQ== Date: Fri, 3 May 2024 00:03:57 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240502220357.GI6420@pb2> References: <20240502004150.3627661-1-michael@niedermayer.cc> <20240502004150.3627661-7-michael@niedermayer.cc> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 7/7] avcodec/cbs_jpeg: Try to move the read entity to one side in a test X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============5683942047629027415==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============5683942047629027415== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PpM08FMrc2jUGrNz" Content-Disposition: inline --PpM08FMrc2jUGrNz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 02, 2024 at 08:58:17AM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: CID1439654 Untrusted pointer read > >=20 > > Sponsored-by: Sovereign Tech Fund > > Signed-off-by: Michael Niedermayer > > --- > > libavcodec/cbs_jpeg.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > >=20 > > diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c > > index b1b58dcd65e..406147c082c 100644 > > --- a/libavcodec/cbs_jpeg.c > > +++ b/libavcodec/cbs_jpeg.c > > @@ -146,13 +146,13 @@ static int cbs_jpeg_split_fragment(CodedBitstream= Context *ctx, > > } > > } else { > > i =3D start; > > - if (i + 2 > frag->data_size) { > > + if (i > frag->data_size - 2) { > > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image= : " > > "truncated at %02x marker.\n", marker); > > return AVERROR_INVALIDDATA; > > } > > length =3D AV_RB16(frag->data + i); > > - if (i + length > frag->data_size) { > > + if (length > frag->data_size - i) { > > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image= : " > > "truncated at %02x marker segment.\n", marker); > > return AVERROR_INVALIDDATA; >=20 > You should always mention when you are not fixing bugs in our code, but > rather intend to apply workaround for coverity crazyness (i.e. the > requirement that reading values in non-native endianness needs to be > sanitized). writing code like if (i + length > frag->data_size) is IMHO not proper and that has nothing to do with coverity the reason why this is not proper is that i + length could in principle overflow. It depends on teh whole loop and calling code if that is possible or not. to check length, length should be alone on one side of the check thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB It is what and why we do it that matters, not just one of them. --PpM08FMrc2jUGrNz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZjQNygAKCRBhHseHBAsP q7bIAJ9YeOD7KOssnscggskSZSe/NFKe9ACdHmrgLnuW8gDR4cDU7VoJh0Oorzg= =ZX+E -----END PGP SIGNATURE----- --PpM08FMrc2jUGrNz-- --===============5683942047629027415== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============5683942047629027415==--