From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 92AAC48B2C for ; Tue, 2 Jul 2024 18:29:55 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C782668D886; Tue, 2 Jul 2024 21:29:52 +0300 (EEST) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C4A5268D886 for ; Tue, 2 Jul 2024 21:29:45 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id F25EC20003 for ; Tue, 2 Jul 2024 18:29:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1719944985; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=JtrC+udGdY0OU8t2XDfeFEFDsBRPEDToTFXj858hu64=; b=UYDVz9fH4uLbxgHa+0puxoYAkTJYO1Yez9bMWAmdNkPW8TRm0aZvZPpMoQ0nQy5aMNmpHs crRwRhYLQIk2gm+eugjh/72Wad3OBiJhpCITJcU2jiWNmSjiJbC81Wk/W7L3aF1vqPuixk gO5NH6n6gcIKSrZV3Opunrm+DzfigCI8mbMS6ygIydgTjHH2g2oHTrJcVwo/ZDeVow+n20 elxCTbw8q5qo8jcxTtOF0NtCsixedT47WbRwHlG7frr3h+jsgHaWUpSpiAAa4RcS+76VTE mN2TTzZGh26TAUPjrTgcKL/SwbZQvY1qBYpa8dlguCMoq4d9iK+1lchUwsoyjw== Date: Tue, 2 Jul 2024 20:29:43 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240702182943.GR4991@pb2> References: <20240502004150.3627661-1-michael@niedermayer.cc> <20240502004150.3627661-7-michael@niedermayer.cc> <20240502220357.GI6420@pb2> MIME-Version: 1.0 In-Reply-To: <20240502220357.GI6420@pb2> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 7/7] avcodec/cbs_jpeg: Try to move the read entity to one side in a test X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============3890964841728871263==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============3890964841728871263== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="u+HAydxlPP+oPOdi" Content-Disposition: inline --u+HAydxlPP+oPOdi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 03, 2024 at 12:03:57AM +0200, Michael Niedermayer wrote: > On Thu, May 02, 2024 at 08:58:17AM +0200, Andreas Rheinhardt wrote: > > Michael Niedermayer: > > > Fixes: CID1439654 Untrusted pointer read > > >=20 > > > Sponsored-by: Sovereign Tech Fund > > > Signed-off-by: Michael Niedermayer > > > --- > > > libavcodec/cbs_jpeg.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > >=20 > > > diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c > > > index b1b58dcd65e..406147c082c 100644 > > > --- a/libavcodec/cbs_jpeg.c > > > +++ b/libavcodec/cbs_jpeg.c > > > @@ -146,13 +146,13 @@ static int cbs_jpeg_split_fragment(CodedBitstre= amContext *ctx, > > > } > > > } else { > > > i =3D start; > > > - if (i + 2 > frag->data_size) { > > > + if (i > frag->data_size - 2) { > > > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG ima= ge: " > > > "truncated at %02x marker.\n", marker); > > > return AVERROR_INVALIDDATA; > > > } > > > length =3D AV_RB16(frag->data + i); > > > - if (i + length > frag->data_size) { > > > + if (length > frag->data_size - i) { > > > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG ima= ge: " > > > "truncated at %02x marker segment.\n", marker= ); > > > return AVERROR_INVALIDDATA; > >=20 > > You should always mention when you are not fixing bugs in our code, but > > rather intend to apply workaround for coverity crazyness (i.e. the > > requirement that reading values in non-native endianness needs to be > > sanitized). >=20 > writing code like > if (i + length > frag->data_size) >=20 > is IMHO not proper and that has nothing to do with coverity > the reason why this is not proper is that i + length could in > principle overflow. It depends on teh whole loop and calling code > if that is possible or not. >=20 > to check length, length should be alone on one side of the check I will add this to the commit message: " The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. " thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Complexity theory is the science of finding the exact solution to an approximation. Benchmarking OTOH is finding an approximation of the exact --u+HAydxlPP+oPOdi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZoRHFwAKCRBhHseHBAsP q9BBAJ4lQPdK4wY+NtdW1bp8ADNtWrRB+wCfTrqGEfWl5clHe6gfuyzM1Vws2LM= =zKdp -----END PGP SIGNATURE----- --u+HAydxlPP+oPOdi-- --===============3890964841728871263== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============3890964841728871263==--