From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 485DA45A20 for ; Thu, 14 Aug 2025 10:08:09 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 437C468D05B; Thu, 14 Aug 2025 13:08:04 +0300 (EEST) Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 2FBAD68BE26 for ; Thu, 14 Aug 2025 13:07:57 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 553EB41C7D for ; Thu, 14 Aug 2025 10:07:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1755166076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6QIkS03I4LEft9tOqHp8bDepMcrsfNaShd+9mx1Vu0Y=; b=R0GicL28eizrPf3pVJ0NBCX8hhAC+ztINRenpEWYiIQ1QfikNiTC5HyGwPBe9HE1N9mpJH jIsaYcVh1EU94PRbyIZHx+zuZxi1hGI79+VELe8Hqxm+xZhu5Zz145W3jBjGb4wtk2ztqz BhY4jyWuFKbedNsL4i7wd9HpUbYILyPB2Dx3qTjFzT6n35ZSge7xqNUJ1naUnHY0YHy3YS nvS7rr3laZ8ayUqA3rmrNgTulnQKNRs8SPro07cxvjdH/zNs44BaeuTjzUHeu0lq3TZ48T Y9ZPx1RVI+GsfugNS4x/0l4xzb4yy0ybvaKmkXeHRFrveIScmkjZJcQ8ExUedQ== Date: Thu, 14 Aug 2025 12:07:55 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250814100755.GP29660@pb2> References: <20250814002549.6431A68CFFE@ffbox0-bg.ffmpeg.org> MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -85 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddugedtkedtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeffledtfeevfeffheeuuefhtdejieelueeftdeitdfgheetgefffeefteekffdthfenucffohhmrghinhepfhhfmhhpvghgrdhorhhgnecukfhppeeguddrieeirdeihedrudejieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeihedrudejiedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH] avutil/timecode: Check for integer overflow in av_timecode_init_from_components() (PR #20236) X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============7751023172039629557==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============7751023172039629557== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uopIqnCX/JEQv8Ia" Content-Disposition: inline --uopIqnCX/JEQv8Ia Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 13, 2025 at 03:36:43PM -1000, Kieran Kunhya via ffmpeg-devel wr= ote: > On Wed, 13 Aug 2025, 14:25 michaelni, wrote: >=20 > > PR #20236 opened by michaelni > > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20236 > > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20236.patch > > > > Fixes: integer overflow > > Fixes: testcase that calls av_timecode_init_from_components() with hh s= et > > explicitly to INT_MAX > > > > Found-by: Youngjae Choi, Mingyoung Ban, Seunghoon Woo > > Signed-off-by: Michael Niedermayer > > > > > > From 0762e660ff8fb8c2f4c3d46a6a6c821bd69633e6 Mon Sep 17 00:00:00 2001 > > From: Michael Niedermayer > > Date: Thu, 14 Aug 2025 02:12:26 +0200 > > Subject: [PATCH] avutil/timecode: Check for integer overflow in > > av_timecode_init_from_components() > > > > Fixes: integer overflow > > Fixes: testcase that calls av_timecode_init_from_components() with hh s= et > > explicitly to INT_MAX > > > > Found-by: Youngjae Choi, Mingyoung Ban, Seunghoon Woo > > Signed-off-by: Michael Niedermayer > > --- > > libavutil/timecode.c | 11 ++++++++++- > > 1 file changed, 10 insertions(+), 1 deletion(-) > > > > diff --git a/libavutil/timecode.c b/libavutil/timecode.c > > index bca16b6ac2..052c488071 100644 > > --- a/libavutil/timecode.c > > +++ b/libavutil/timecode.c > > @@ -211,6 +211,7 @@ int av_timecode_init(AVTimecode *tc, AVRational rat= e, > > int flags, int frame_start > > int av_timecode_init_from_components(AVTimecode *tc, AVRational rate, = int > > flags, int hh, int mm, int ss, int ff, void *log_ctx) > > { > > int ret; > > + int64_t s; > > > > memset(tc, 0, sizeof(*tc)); > > tc->flags =3D flags; > > @@ -221,7 +222,15 @@ int av_timecode_init_from_components(AVTimecode *t= c, > > AVRational rate, int flags, > > if (ret < 0) > > return ret; > > > > - tc->start =3D (hh*3600 + mm*60 + ss) * tc->fps + ff; > > + s =3D hh*3600LL + mm*60LL + ss; > > + if (s !=3D (int32_t)s) > > + return AVERROR(EINVAL); > > + > > + s =3D s * tc->fps + ff; > > + if (s !=3D (int32_t)s) > > + return AVERROR(EINVAL); > > + tc->start =3D s; > > + > > if (tc->flags & AV_TIMECODE_FLAG_DROPFRAME) { /* adjust frame numb= er > > */ > > int tmins =3D 60*hh + mm; > > tc->start -=3D (tc->fps / 30 * 2) * (tmins - tmins/10); > > -- > > 2.49.1 > > >=20 > What is the actual security benefit of this? in reality, probably none in theory, it fixes undefined behavior for a range of values that is not forbidden by the API > If someone chooses INT_MAX as > their timecode value, surely they have to expect it overflows? this was reported to us as a security issue there also was a seperate one with tc=3DNULL crashing. But that violated the API, so it didnt make it to forgejo thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Many things microsoft did are stupid, but not doing something just because microsoft did it is even more stupid. If everything ms did were stupid they would be bankrupt already. --uopIqnCX/JEQv8Ia Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaJ21dwAKCRBhHseHBAsP q3lpAJ47AyjUfLI92AJnbqDKPyEL5SZByACfbv1IwWcHe2NxIU5OtNHyaaUKVEI= =s5S5 -----END PGP SIGNATURE----- --uopIqnCX/JEQv8Ia-- --===============7751023172039629557== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============7751023172039629557==--