On Fri, May 03, 2024 at 12:03:57AM +0200, Michael Niedermayer wrote: > On Thu, May 02, 2024 at 08:58:17AM +0200, Andreas Rheinhardt wrote: > > Michael Niedermayer: > > > Fixes: CID1439654 Untrusted pointer read > > > > > > Sponsored-by: Sovereign Tech Fund > > > Signed-off-by: Michael Niedermayer > > > --- > > > libavcodec/cbs_jpeg.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c > > > index b1b58dcd65e..406147c082c 100644 > > > --- a/libavcodec/cbs_jpeg.c > > > +++ b/libavcodec/cbs_jpeg.c > > > @@ -146,13 +146,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, > > > } > > > } else { > > > i = start; > > > - if (i + 2 > frag->data_size) { > > > + if (i > frag->data_size - 2) { > > > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " > > > "truncated at %02x marker.\n", marker); > > > return AVERROR_INVALIDDATA; > > > } > > > length = AV_RB16(frag->data + i); > > > - if (i + length > frag->data_size) { > > > + if (length > frag->data_size - i) { > > > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " > > > "truncated at %02x marker segment.\n", marker); > > > return AVERROR_INVALIDDATA; > > > > You should always mention when you are not fixing bugs in our code, but > > rather intend to apply workaround for coverity crazyness (i.e. the > > requirement that reading values in non-native endianness needs to be > > sanitized). > > writing code like > if (i + length > frag->data_size) > > is IMHO not proper and that has nothing to do with coverity > the reason why this is not proper is that i + length could in > principle overflow. It depends on teh whole loop and calling code > if that is possible or not. > > to check length, length should be alone on one side of the check I will add this to the commit message: " The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. " thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Complexity theory is the science of finding the exact solution to an approximation. Benchmarking OTOH is finding an approximation of the exact