From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0A2284CBA7 for ; Thu, 26 Jun 2025 21:08:20 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 99DA368E5A4; Fri, 27 Jun 2025 00:08:16 +0300 (EEST) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id C10C768E571 for ; Fri, 27 Jun 2025 00:08:09 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 23550444E9 for ; Thu, 26 Jun 2025 21:08:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1750972089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/KKeYOOONxxnuAFxjtXU08FuH9kkqOZF/CB1HEVzr4M=; b=Em7eDNqxLvl/Oc5jlP3PMU+EevjFQpNqIE1NPvgFQEQ11Ytb7MxGKIumqZaEWSIruI8C5r Lbhsk9mzrLNpDNTZIjL0cb5W2jIhFaudm0tZJXyHB43jX7O5O4XwwuUyJhfAMRK5tOCl+a UqouU7wHoxLreU7eDM3MlPhOFV2zyNk10Xa0hPvi1ghfLaEdQ9lph0v4q/3DRqZl4XeNfg prktH94jUxsKpr8clEYo5N4SjWlcl4zQbPrSJZdWKUBoq6adtgqY5hNjww8Q5oSiGElD7Q 5usSJ9BOwGYKSXGvQzPj/eTKAUHERIE5p5CuObNvJ0ucgYnas0jLoOJ8LuSYHw== Date: Thu, 26 Jun 2025 23:08:07 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250626210807.GF29660@pb2> References: <20250624061959.23577-1-roslypav@gmail.com> <20250625221246.GB29660@pb2> <20250625224037.GC29660@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -70 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdduvddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdeftddmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttdejnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeelkeeggfffiedufeejueffjeduhedttdduledtheevveevtdeiueelhfdtuedtkeenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH] libavformat/usmdec: add support for HCA stream decryption X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============1659361701391176047==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============1659361701391176047== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="T8OeXoBkNcmEotqq" Content-Disposition: inline --T8OeXoBkNcmEotqq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Pavel On Thu, Jun 26, 2025 at 12:04:17AM -0700, Pavel Roslyy wrote: > On Wed, Jun 25, 2025 at 3:40=E2=80=AFPM Michael Niedermayer > wrote: > > > > [...] > > > > bug found, not applying yet > > > > ret =3D ff_alloc_extradata(par, pkt_size + key_buf); > > > > pkt_size + key_buf can overflow i think >=20 > If I'm understanding right, I don't think it can. > pkt_size =3D chunk_size - (ret - chunk_start) - padding_size; >=20 > (ret - chunk_start) should be at least 24 at this point, and I don't think > padding_size will be negative so pkt_size is at most UINT32_MAX - 24. chunk_size is arbitrary 32bit thus pkt_size is arbitrary 32bit >=20 > key_buf adds at most 10, which is not enough to overflow. arbitrary uint32_t + 10 can overflow. Its a defined overflow but the following allocation is then bad thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The real ebay dictionary, page 1 "Used only once" - "Some unspecified defect prevented a second use" "In good condition" - "Can be repaird by experienced expert" "As is" - "You wouldnt want it even if you were payed for it, if you knew .= =2E." --T8OeXoBkNcmEotqq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaF22tAAKCRBhHseHBAsP q2GYAJ9sxZYMMxMMzbPZvBQY5ygpmaKYMQCeJpQcHf+rUyH82MnGB3cssDUiqa0= =VjTf -----END PGP SIGNATURE----- --T8OeXoBkNcmEotqq-- --===============1659361701391176047== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============1659361701391176047==--