From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 8CF4D4AC8A for ; Sat, 18 May 2024 19:46:07 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9040868CCCD; Sat, 18 May 2024 22:46:04 +0300 (EEST) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 70D6368C825 for ; Sat, 18 May 2024 22:45:58 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id B97B640002 for ; Sat, 18 May 2024 19:45:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1716061557; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LNMV82C5RckuY+j/riJ9C9fPXw681V+xsnCK4BTcI4A=; b=jH8DuzictPD0bZeVGBq8aCjujNoSEcvCeDFYBGYTpi/O8kKHJ4knn7G+Ul0/EqQn1m8sEi nu/lLBwftB8uTyl/wE1hBHv6T4nBxRMFDQLZS9/3INOqY7xCILMtDnvAeKu0qgO0WsyUMW MNN+MRh/2gIMWzPX7kiTRc0UhitbreMxJVLG9xYbG1vgpe+QaIiYUmJvIrjxIdYgbUHE56 Qorezq1K1uXPnyqFQEa3RWvVhcmWqsdU6YoaU7KwjrmvqbC2IoFu2tt9LKulB0BVgzXy5D ltZiLdm1xVASOBzU4M/Vt0jZY3SWb8yA5tJlT74bxxvfehoA4Xy2/z/5lzEInw== Date: Sat, 18 May 2024 21:45:56 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240518194556.GC2821752@pb2> References: <20240518035743.766552-1-michael@niedermayer.cc> <20240518035743.766552-2-michael@niedermayer.cc> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 2/9] avcodec/tiff: Assert init_get_bits8() success in unpack_gray() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============2056491593168185646==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============2056491593168185646== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="RIYY1s2vRbPFwWeW" Content-Disposition: inline --RIYY1s2vRbPFwWeW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 18, 2024 at 08:02:28AM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Helps: CID1441939 Unchecked return value > >=20 > > Sponsored-by: Sovereign Tech Fund > > Signed-off-by: Michael Niedermayer > > --- > > libavcodec/tiff.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > >=20 > > diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c > > index ca7e9f6aba9..31de6ad7308 100644 > > --- a/libavcodec/tiff.c > > +++ b/libavcodec/tiff.c > > @@ -457,7 +457,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, > > GetBitContext gb; > > uint16_t *dst =3D (uint16_t *)(p->data[0] + lnum * p->linesize[0]); > > =20 > > - init_get_bits8(&gb, src, width); > > + int ret =3D init_get_bits8(&gb, src, width); > > + av_assert1(ret >=3D 0); > > =20 > > for (int i =3D 0; i < s->width; i++) { > > dst[i] =3D get_bits(&gb, bpp); >=20 > What guarantees that this is not triggered? Several arguments, first one is simply that linesize*allocated_height must = be addressable with an int index which in practice ends on the check "stride*(uint64_t)(h+128) >=3D INT_MAX"= in av_image_check_size2 so I would expect a width * 8 not to overflow if a stride * (h+128) cannot (this is a bit fuzzy as our width can contain some subsampling factors thou= gh i doubt they can be that large) the 2nd is that int width =3D ((s->width * s->bpp) + 7) >> 3; or teh alethernative path contains a av_assert0(width <=3D bytes_per_row); where int bytes_per_row =3D (((s->width - 1) / s->subsampling[0] + 1) * s->= bpp * s->subsampling[0] * s->subsampling[1] + 7) >> 3; both are integers divided by 8 so i would expect no overflow on a multiply = by 8 thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The bravest are surely those who have the clearest vision of what is before them, glory and danger alike, and yet notwithstanding go out to meet it. -- Thucydides --RIYY1s2vRbPFwWeW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZkkFbgAKCRBhHseHBAsP qw9CAKCJYSOJVEYFrL/S0vIK3NVKF/OhGACffgEUxBLHne1s+yV6RktFEv6PZHo= =LBs+ -----END PGP SIGNATURE----- --RIYY1s2vRbPFwWeW-- --===============2056491593168185646== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============2056491593168185646==--