From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 7CD254819E
	for <ffmpegdev@gitmailbox.com>; Sat, 11 May 2024 01:45:27 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BB87D68D580;
	Sat, 11 May 2024 04:45:24 +0300 (EEST)
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A70F168D4C6
 for <ffmpeg-devel@ffmpeg.org>; Sat, 11 May 2024 04:45:18 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id CD974C0002
 for <ffmpeg-devel@ffmpeg.org>; Sat, 11 May 2024 01:45:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1715391918;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=sBzaZagePd8O8WB39mD3wN58qjl7YNJ7tvMzir9XmoY=;
 b=VXCN1ApkAyu/csM8RXNw/A0+cmx9HGsjlC8HcWK9xKAi7xyz0rqtCIV9q/V3iZeaHkesZe
 sb01FX8eWTTsPkSZ8VaHBZtf/ixLwG1IFdEVo79LL75HTWG7XAm/P2gxglMDjja2HfvuBD
 vg/AfMeESllv3vsGg1icGSf/r/3JHu4XqHX5GueNqecqLNgb33z1/EL5X2QK5zzQ6pratg
 +LXPASxUzyBXLswy7rQgljoMC9g3AfVWFnYBOkuq3e1+DxbKmi6RephBXJguVpxJS4Cg3p
 iqVtSbxirhdNmJMKGZ7qiw10PF1+102NW1RyFUtYyxs0LhXmGBIUaL8lQWaNMw==
Date: Sat, 11 May 2024 03:45:16 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20240511014516.GR6420@pb2>
References: <20240509140211.1296-1-kasper93@gmail.com>
MIME-Version: 1.0
In-Reply-To: <20240509140211.1296-1-kasper93@gmail.com>
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH] avformat/data_uri: Fix base64 decode
 buffer size calculation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============4125252664809249521=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240511014516.GR6420@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============4125252664809249521==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="OoY7cHUHRQM1IwuE"
Content-Disposition: inline


--OoY7cHUHRQM1IwuE
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, May 09, 2024 at 04:02:09PM +0200, Kacper Michaj=C5=82ow wrote:
> Also reject input if it is too short.
>=20
> Found by OSS-Fuzz.
>=20
> Signed-off-by: Kacper Michaj=C5=82ow <kasper93@gmail.com>
> ---
>  libavformat/data_uri.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>=20
> diff --git a/libavformat/data_uri.c b/libavformat/data_uri.c
> index 3868a19630..f97ecbab37 100644
> --- a/libavformat/data_uri.c
> +++ b/libavformat/data_uri.c
> @@ -73,11 +73,11 @@ static av_cold int data_open(URLContext *h, const cha=
r *uri, int flags)
>      data++;
>      in_size =3D strlen(data);
>      if (base64) {
> -        size_t out_size =3D 3 * (in_size / 4) + 1;
> +        size_t out_size =3D AV_BASE64_DECODE_SIZE(in_size);

i suspect this is correct


> =20
>          if (out_size > INT_MAX || !(ddata =3D av_malloc(out_size)))
>              return AVERROR(ENOMEM);

> -        if ((ret =3D av_base64_decode(ddata, data, out_size)) < 0) {
> +        if (!out_size || (ret =3D av_base64_decode(ddata, data, out_size=
)) < 0) {
>              av_free(ddata);
>              av_log(h, AV_LOG_ERROR, "Invalid base64 in URI\n");
>              return ret;

why would this need a out_size =3D=3D 0 check ?

also it seems av_base64_decode() itself is buggy, ive sent 2 patches
fixing av_base64_decode() and extening the self tests

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.

--OoY7cHUHRQM1IwuE
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZj7NqQAKCRBhHseHBAsP
q5hCAJ4/3XIXqgNo2cP5k1qLQqOz08PL/QCeKor9GheJm7Xp8ActYev0VfORw8M=
=UzoF
-----END PGP SIGNATURE-----

--OoY7cHUHRQM1IwuE--

--===============4125252664809249521==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============4125252664809249521==--