From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 92DCA4FB4B for ; Fri, 27 Jun 2025 21:33:00 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 39C6668DEF6; Sat, 28 Jun 2025 00:32:55 +0300 (EEST) Received: from relay16.mail.gandi.net (relay16.mail.gandi.net [217.70.178.236]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 70A6768DC45 for ; Sat, 28 Jun 2025 00:32:48 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id B737A44A63 for ; Fri, 27 Jun 2025 21:32:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1751059967; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4N3yV+15H4fFB2yRsnBcy+EU/c6ifoyPNmJ8D74Fndk=; b=ACa5frPLOjX3Bw7gpQKggSanvoksxX1jy4UMtf6Dbi28nwBcEGvE9De69CAQzSQHLUkqyn Nt9yEXcK7u+TuBWF+1ZxqJqbWRpaPuD5ozaTvVVVl5vf0+sNn24DUWTB3RuzXh4KOD7y4C wBi5PolgCCA3vdoB1XFS2etPaxrfbmv6jXzX/CDk7bH92Q3To/x6xJ8mo31BbeTPjDT6W2 Rix9PfFY1+uVYed+QEoy8IXqlNt3QtotBvjn9wKtS8XGf3BeKbNh0Pt2SYNfi5hZEPDays mgfQC5IEW6fPdkNNelvhoeKdQI52WAg8aaEudgwq0E2KB29n2g6FWy95OMn5Rg== Date: Fri, 27 Jun 2025 23:32:46 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250627213246.GH29660@pb2> References: <20250624061959.23577-1-roslypav@gmail.com> <20250625221246.GB29660@pb2> <20250625224037.GC29660@pb2> <20250626210807.GF29660@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -70 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdegudegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdeftddmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttdejnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeelkeeggfffiedufeejueffjeduhedttdduledtheevveevtdeiueelhfdtuedtkeenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg Subject: Re: [FFmpeg-devel] [PATCH] libavformat/usmdec: add support for HCA stream decryption X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0913629695402554810==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0913629695402554810== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="t/I1ocpmHybUt8D6" Content-Disposition: inline --t/I1ocpmHybUt8D6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 27, 2025 at 12:20:11PM -0700, Pavel Roslyy wrote: > On Thu, Jun 26, 2025 at 2:08=E2=80=AFPM Michael Niedermayer > wrote: > > > > Hi Pavel > > > > On Thu, Jun 26, 2025 at 12:04:17AM -0700, Pavel Roslyy wrote: > > > On Wed, Jun 25, 2025 at 3:40=E2=80=AFPM Michael Niedermayer > > > wrote: > > > > > > > > [...] > > > > > > > > bug found, not applying yet > > > > > > > > ret =3D ff_alloc_extradata(par, pkt_size + key_buf); > > > > > > > > pkt_size + key_buf can overflow i think > > > > > > If I'm understanding right, I don't think it can. > > > pkt_size =3D chunk_size - (ret - chunk_start) - padding_size; > > > > > > (ret - chunk_start) should be at least 24 at this point, and I don't = think > > > padding_size will be negative so pkt_size is at most UINT32_MAX - 24. > > > > chunk_size is arbitrary 32bit thus pkt_size is arbitrary 32bit > > > > > > > > > > key_buf adds at most 10, which is not enough to overflow. > > > > arbitrary uint32_t + 10 can overflow. Its a defined overflow > > but the following allocation is then bad >=20 > I think what happens is arbitrary uint32_t - 24 + 10, which cannot overfl= ow > but it looks like I wasn't convincing. I assume you want an overflow che= ck? >=20 > if (key_buf > UINT32_MAX - pkt_size) > return AVERROR_INVALIDDATA; >=20 > Would this work or do you have a better suggestion? ok thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Nations do behave wisely once they have exhausted all other alternatives.= =20 -- Abba Eban --t/I1ocpmHybUt8D6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaF8N/gAKCRBhHseHBAsP q5bzAJ0a34x1nKws/tor9P5iF0brnJKFXwCZAWLP/eQOhvn6XvwiqFeeDpbjWPU= =ZiGH -----END PGP SIGNATURE----- --t/I1ocpmHybUt8D6-- --===============0913629695402554810== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0913629695402554810==--