From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 8649A4E35C
	for <ffmpegdev@gitmailbox.com>; Mon, 10 Mar 2025 20:32:55 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C808A68E0F2;
	Mon, 10 Mar 2025 22:32:50 +0200 (EET)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [217.70.183.196])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AE62768DF55
 for <ffmpeg-devel@ffmpeg.org>; Mon, 10 Mar 2025 22:32:44 +0200 (EET)
Received: by mail.gandi.net (Postfix) with ESMTPSA id DA3014454E
 for <ffmpeg-devel@ffmpeg.org>; Mon, 10 Mar 2025 20:32:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1741638764;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=gxNJJBuUe/O3vMFFe+oipYp5UVSnAs/364+3jMRdirs=;
 b=o1fjlkIek++w8baq+1tdc7Q3yxPhI65Bc74udFk8EPk9VS/aBHgoPDdNy1NvAcV6r6R9Dd
 eYhN+x08tboWZhltxEyNIWOep56FyDG9EJjb7x6lLDMiLcPFU8Z26NiI5RBcIB7gzE7R+5
 JzljKCHh0uN1Tz5QruMYKlsc9tiZUD5h3agMvIX1sJGeyw4G/9CMmg/V080q3dwYFu/RoB
 KO/LAGWPK9UKaLfQDZTci4EUxGvfer6wG3eiFeusXQaDn4UBUFRzBCRFFyeQEAdfn5hbcY
 +jjP6MfV6d2GdLjuxZ2NWrOysPDoGhJa7jFukL8YVwsN8p5imzoUbDVXcIAPSQ==
Date: Mon, 10 Mar 2025 21:32:42 +0100
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250310203242.GO4991@pb2>
References: <20250304170719.602196-1-manuel.lauss@gmail.com>
 <20250304170719.602196-2-manuel.lauss@gmail.com>
 <20250308191122.GB4991@pb2>
 <CAOLZvyGPAZ1Tpns79rtxLXcbRK4mBvjDu+moZ6Qho=j6d8ZOtw@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAOLZvyGPAZ1Tpns79rtxLXcbRK4mBvjDu+moZ6Qho=j6d8ZOtw@mail.gmail.com>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduvddtfedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttdejnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeelkeeggfffiedufeejueffjeduhedttdduledtheevveevtdeiueelhfdtuedtkeenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH v4 2/3] avcodec/sanm: fobj left/top are
 signed
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============1489531653405145193=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250310203242.GO4991@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============1489531653405145193==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="7ZvspJ/jL6OBItqa"
Content-Disposition: inline


--7ZvspJ/jL6OBItqa
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi

On Sun, Mar 09, 2025 at 04:52:25PM +0100, Manuel Lauss wrote:
> Hi Michael,
>=20
> On Sat, Mar 8, 2025 at 8:11=E2=80=AFPM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > Hi Manuel
> >
> > On Tue, Mar 04, 2025 at 06:07:18PM +0100, Manuel Lauss wrote:
> > > The left and top parameters of an FOBJ are signed values.
> > >
> > > Signed-off-by: Manuel Lauss <manuel.lauss@gmail.com>
> > > ---
> > > v4: revert v3, it arose due to a misunderstanding
> > > v3: change the bytestream accessor to signed too
> > > v2: no changes
> > >  libavcodec/sanm.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
> > > index a4f0a28c7c..71dbac4320 100644
> > > --- a/libavcodec/sanm.c
> > > +++ b/libavcodec/sanm.c
> > > @@ -1238,8 +1238,8 @@ static int old_codec48(SANMVideoContext *ctx, i=
nt width, int height)
> > >  static int process_frame_obj(SANMVideoContext *ctx)
> > >  {
> > >      uint16_t codec =3D bytestream2_get_le16u(&ctx->gb);
> > > -    uint16_t left  =3D bytestream2_get_le16u(&ctx->gb);
> > > -    uint16_t top   =3D bytestream2_get_le16u(&ctx->gb);
> > > +    int16_t  left  =3D bytestream2_get_le16u(&ctx->gb);
> > > +    int16_t  top   =3D bytestream2_get_le16u(&ctx->gb);
> > >      uint16_t w     =3D bytestream2_get_le16u(&ctx->gb);
> > >      uint16_t h     =3D bytestream2_get_le16u(&ctx->gb);
> >
> > Does the following code also handle all error conditions that
> > negative left/top could now trigger ?
>=20
> For the LucasArts titles that sanm.c currently supports well,
> no negative values are ever encountered.
> I let ffplay run through maybe 1/3 of the Rebel Assault 1 videos,
> which are the only ones that make use of negative values, but
> didn't encounter any crashes; mostly because the codecs it
> uses aren't supported by ffmpeg/sanm (yet).

My concern is not that it crashes my concern is that manually craftet
files could result in arbitrary code execution if theres any out of
array accesses.
Did you check that negative values are safe in that respect ?

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threat=
s=20
related to an insecure 5G network, it needs to rethink the extent to which =
it
values corporate profits and government espionage over security.-Bruce Schn=
eier

--7ZvspJ/jL6OBItqa
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZ89MagAKCRBhHseHBAsP
q1PzAJ0YyYWwaDCI8olCGtbO3SkiUTiwGwCfT+ZK5yihItFYcqhJ4nVSE54qbPQ=
=a6C3
-----END PGP SIGNATURE-----

--7ZvspJ/jL6OBItqa--

--===============1489531653405145193==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============1489531653405145193==--