From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id BCB9748307
	for <ffmpegdev@gitmailbox.com>; Mon, 22 Apr 2024 20:46:15 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3F01568D362;
	Mon, 22 Apr 2024 23:46:14 +0300 (EEST)
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 22D8968D188
 for <ffmpeg-devel@ffmpeg.org>; Mon, 22 Apr 2024 23:46:08 +0300 (EEST)
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-1e8bbcbc2b7so35535205ad.0
 for <ffmpeg-devel@ffmpeg.org>; Mon, 22 Apr 2024 13:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1713818765; x=1714423565; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=ERoqvljvSwQKeU4JTqj4Gol9XgbHq80omtdj4H0OCB4=;
 b=VrpkR5pdQXdakCJSLeXMuIEEVohvfm9AESefbJAJD8PYRDkT41YHDqGxpxAQql36sB
 EG0E2oKJx1gKylC+Wr/x0yZHTP18G1RzobDQtG8g1w5JOK0rO4OqUI4BE6QkptxCeVHV
 U4hxo7pDwKA33TXeka8m79cYxRp4E7XJNNmeumyB++m52+IYBiasJPmtQl8cojh0BcAZ
 T5bqXk5HU8+oAYo97EdSxmNhAKYBU2Ec6wCGTcQJZwC5j1FJjF0lkI8WEydBI5SSkOnv
 qzfMX8/aLXxFpExL/JC2PE18ERc6lrj63Y/nEEkr5jfMCjUuBrXct7BMbw5FYoLZ3FvD
 1/xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1713818765; x=1714423565;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=ERoqvljvSwQKeU4JTqj4Gol9XgbHq80omtdj4H0OCB4=;
 b=r/5fi2vfmn3bhFpRUT+qWbB//YC+hIrtM9B/8jiSoiXmxIRjbT2nDbmV53/xiSGc0+
 5KtOV23CPwnXvTW3pZlyVleJkNmvjOYIkViKwZIcqsv4FoLXghnhyJ/9sIY7A3FStx9U
 H+xe7GZ0Xjts7FsOg3nzXtNIRrZPsDUCHbgYL0IrROxGfX61Phlv/dLuqoMaxn4Qv2T/
 zF7/0S88G3W6SJUHhtNZWevzBTPqW74Ya0p6sXbg5FxP841sluDL1iotFcTSkHjavX9a
 kJlh9s0UIISIBfXfZp4PMTg1CP0F+CCJyEArCPwbAXZFwJYRcxHtayx6K1MxBc7uCbzH
 cIfw==
X-Gm-Message-State: AOJu0YxS41GMQu0Q/rXwU9Mmhvv1aSYP4SihUgCNXxnMtAeGbyjyYWAZ
 z2vps/Zl52iVf+foFPCev3+ZkBSnwoNyBdKP8e7ITmmgADI1jVY3h9fKrQ==
X-Google-Smtp-Source: AGHT+IFXWk1xOtfE6j61kKhOLUIKtnbfzWRVmZpPW38Wg8z6fASlHgK/ej4G62MgoTeSIvSratFUVA==
X-Received: by 2002:a17:903:2685:b0:1e0:dc6e:45d6 with SMTP id
 jf5-20020a170903268500b001e0dc6e45d6mr12336795plb.60.1713818765290; 
 Mon, 22 Apr 2024 13:46:05 -0700 (PDT)
Received: from [192.168.0.10] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 c10-20020a170902d48a00b001dd0c5d5227sm8553438plg.193.2024.04.22.13.46.04
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 22 Apr 2024 13:46:04 -0700 (PDT)
Message-ID: <3ed83124-4f7e-4ed6-8e3c-3a97852617b7@gmail.com>
Date: Mon, 22 Apr 2024 17:46:10 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240422013150.458103-1-michael@niedermayer.cc>
 <67b2f0ee-9465-4b76-ad15-be68d9faa987@jkqxz.net>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <67b2f0ee-9465-4b76-ad15-be68d9faa987@jkqxz.net>
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/cbs_h2645: Check NAL space
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/3ed83124-4f7e-4ed6-8e3c-3a97852617b7@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 4/22/2024 5:40 PM, Mark Thompson wrote:
> On 22/04/2024 02:31, Michael Niedermayer wrote:
>> Found-by-reviewing: CID1419833 Untrusted loop bound
>>
>> Sponsored-by: Sovereign Tech Fund
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>   libavcodec/cbs_h2645.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
>> index fe2e383ff33..1a45d424bae 100644
>> --- a/libavcodec/cbs_h2645.c
>> +++ b/libavcodec/cbs_h2645.c
>> @@ -709,7 +709,11 @@ static int cbs_h2645_split_fragment(CodedBitstreamContext *ctx,
>>   
>>               start = bytestream2_tell(&gbc);
>>               for(i = 0; i < num_nalus; i++) {
>> +                if (bytestream2_get_bytes_left(&gbc) < 2)
>> +                    return AVERROR_INVALIDDATA;
>>                   size = bytestream2_get_be16(&gbc);
>> +                if (bytestream2_get_bytes_left(&gbc) < size)
>> +                    return AVERROR_INVALIDDATA;
>>                   bytestream2_skip(&gbc, size);
>>               }
>>               end = bytestream2_tell(&gbc);
> 
> Seems fair.
> 
> The problem looks more general with missing bounds checks in all the H.266 code around this, though?  Compare with H.26[45], which have checks on all the reads - seems like H.266 should be doing that.
> 
> Thanks,

Not against this approach, but since the bytestream2_get_* functions 
return 0, never overread the buffer or move the internal pointer, 
wouldn't it be enough to just ensure end > start?
Particularly in ff_h2645_packet_split(), we can return an error if 
length (in this case being set to end - start) is < 4.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".