From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH] avutil/timecode: Check for integer overflow in av_timecode_init_from_components() (PR #20236)
Date: Thu, 14 Aug 2025 12:07:55 +0200
Message-ID: <20250814100755.GP29660@pb2> (raw)
In-Reply-To: <CABGuwEnojimobFm_fYZsxnfDfPoCi2FZTcMUcnkbehKP_bDMEQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3211 bytes --]
On Wed, Aug 13, 2025 at 03:36:43PM -1000, Kieran Kunhya via ffmpeg-devel wrote:
> On Wed, 13 Aug 2025, 14:25 michaelni, <code@ffmpeg.org> wrote:
>
> > PR #20236 opened by michaelni
> > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20236
> > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20236.patch
> >
> > Fixes: integer overflow
> > Fixes: testcase that calls av_timecode_init_from_components() with hh set
> > explicitly to INT_MAX
> >
> > Found-by: Youngjae Choi, Mingyoung Ban, Seunghoon Woo
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >
> >
> > From 0762e660ff8fb8c2f4c3d46a6a6c821bd69633e6 Mon Sep 17 00:00:00 2001
> > From: Michael Niedermayer <michael@niedermayer.cc>
> > Date: Thu, 14 Aug 2025 02:12:26 +0200
> > Subject: [PATCH] avutil/timecode: Check for integer overflow in
> > av_timecode_init_from_components()
> >
> > Fixes: integer overflow
> > Fixes: testcase that calls av_timecode_init_from_components() with hh set
> > explicitly to INT_MAX
> >
> > Found-by: Youngjae Choi, Mingyoung Ban, Seunghoon Woo
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavutil/timecode.c | 11 ++++++++++-
> > 1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavutil/timecode.c b/libavutil/timecode.c
> > index bca16b6ac2..052c488071 100644
> > --- a/libavutil/timecode.c
> > +++ b/libavutil/timecode.c
> > @@ -211,6 +211,7 @@ int av_timecode_init(AVTimecode *tc, AVRational rate,
> > int flags, int frame_start
> > int av_timecode_init_from_components(AVTimecode *tc, AVRational rate, int
> > flags, int hh, int mm, int ss, int ff, void *log_ctx)
> > {
> > int ret;
> > + int64_t s;
> >
> > memset(tc, 0, sizeof(*tc));
> > tc->flags = flags;
> > @@ -221,7 +222,15 @@ int av_timecode_init_from_components(AVTimecode *tc,
> > AVRational rate, int flags,
> > if (ret < 0)
> > return ret;
> >
> > - tc->start = (hh*3600 + mm*60 + ss) * tc->fps + ff;
> > + s = hh*3600LL + mm*60LL + ss;
> > + if (s != (int32_t)s)
> > + return AVERROR(EINVAL);
> > +
> > + s = s * tc->fps + ff;
> > + if (s != (int32_t)s)
> > + return AVERROR(EINVAL);
> > + tc->start = s;
> > +
> > if (tc->flags & AV_TIMECODE_FLAG_DROPFRAME) { /* adjust frame number
> > */
> > int tmins = 60*hh + mm;
> > tc->start -= (tc->fps / 30 * 2) * (tmins - tmins/10);
> > --
> > 2.49.1
> >
>
> What is the actual security benefit of this?
in reality, probably none
in theory, it fixes undefined behavior for a range of values that is
not forbidden by the API
> If someone chooses INT_MAX as
> their timecode value, surely they have to expect it overflows?
this was reported to us as a security issue
there also was a seperate one with tc=NULL crashing. But that
violated the API, so it didnt make it to forgejo
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-08-14 10:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250814002549.6431A68CFFE@ffbox0-bg.ffmpeg.org>
2025-08-14 1:36 ` Kieran Kunhya via ffmpeg-devel
2025-08-14 10:07 ` Michael Niedermayer [this message]
2025-08-14 0:25 michaelni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814100755.GP29660@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git