From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 5/5] avformat/mov: Check if heif item name is already allocated
Date: Fri, 26 Apr 2024 21:23:30 -0300
Message-ID: <5e4dfc8a-6624-414f-bd78-efed275edf28@gmail.com> (raw)
In-Reply-To: <20240427000301.GZ6420@pb2>
On 4/26/2024 9:03 PM, Michael Niedermayer wrote:
> On Fri, Apr 26, 2024 at 08:57:02PM -0300, James Almer wrote:
>> On 4/26/2024 8:52 PM, Michael Niedermayer wrote:
>>> Fixes: memleak
>>> Fixes: 68212/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4963488540721152
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavformat/mov.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>> index 97a24e6737e..5b8278f736e 100644
>>> --- a/libavformat/mov.c
>>> +++ b/libavformat/mov.c
>>> @@ -8136,6 +8136,9 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx)
>>> avio_rb24(pb); // flags.
>>> size -= 4;
>>> + if (c->heif_item[idx].name)
>>> + return AVERROR_INVALIDDATA;
>>
>> I prefer to free the old one before the av_bprint_finalize() call instead of
>> aborting.
>
> does the format allow this to be changing ?
This code is not supposed to be invoked twice if an iinf box is
correctly parsed. It can only happen if a second iinf box shows up after
the first and demuxing wasn't aborted, either because the error was
ignored, or an infe box within was version < 2.
>
> because security wise, allowing an attacker to change things is worse
> than allowing her to just set it once.
A second iinf box could show up after the first was not finished
parsing, and as long as it has no names for the items, it would still
finish parsing even after this patch. So better just clean old values
and keep parsing. Further sanity checks will happen when all the items
are turned into something meant to be exported.
>
> and heif seems to have a rather high density of issues already, judging
> from how many of the recent mov issues where in heif code
>
> thx
>
> [...]
>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-04-27 0:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-26 23:52 [FFmpeg-devel] [PATCH 1/5] avcodec/pngdec: Check last AVFrame before deref Michael Niedermayer
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 2/5] avcodec/vp3: Call ff_progress_frame_unref() before ff_progress_frame_get_buffer() Michael Niedermayer
2024-04-27 9:47 ` Andreas Rheinhardt
2024-04-27 18:15 ` Michael Niedermayer
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 3/5] avcodec/decode: Check progress before dereferencing Michael Niedermayer
2024-04-27 11:13 ` Andreas Rheinhardt
2024-06-25 19:47 ` Michael Niedermayer
2024-06-25 19:51 ` Andreas Rheinhardt
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Check ref frame Michael Niedermayer
2024-04-27 10:14 ` Andreas Rheinhardt
2024-04-27 18:23 ` Michael Niedermayer
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 5/5] avformat/mov: Check if heif item name is already allocated Michael Niedermayer
2024-04-26 23:57 ` James Almer
2024-04-27 0:03 ` Michael Niedermayer
2024-04-27 0:23 ` James Almer [this message]
2024-04-27 23:19 ` James Almer
2024-04-27 9:36 ` [FFmpeg-devel] [PATCH 1/5] avcodec/pngdec: Check last AVFrame before deref Andreas Rheinhardt
2024-04-27 18:13 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5e4dfc8a-6624-414f-bd78-efed275edf28@gmail.com \
--to=jamrial@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git