From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 3683549A03 for ; Sat, 27 Apr 2024 00:23:44 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 153E768D37D; Sat, 27 Apr 2024 03:23:42 +0300 (EEST) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 894E868D256 for ; Sat, 27 Apr 2024 03:23:35 +0300 (EEST) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1e2b1cd446fso22588835ad.3 for ; Fri, 26 Apr 2024 17:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714177413; x=1714782213; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=oGIdDIyohqMWS1+LTNeqNA0e3D6+2Sbafg+2khHPRUg=; b=WzqDCK2+Tc5QF8zCvGZyRG7hoTPiw+h/fDf/96LCJYU8+kPVoezoJZpwFgfLm2LT19 rY5GSkA5wTHbbTKRPNxFLCj1RJwECPPV0Zzb1b3MnpqaQOYgYdlqG9RYB/D3ciuXaVHg 7b0Kkz1foSBaYbAF2CSG/844o60Qcahh8uNX3NBQ6X2ncKrJTG5vhcvGCJB72oPb7Eot Xm4IIrncgDJ8HZzHrIF/m/o9zKXcgcVOGbq0Znsdfm1yndnLMxi9SSv6mZNTOKOUe7jB HM/uRlTSV2D03rejfIVyNADGmN/AzoLXNmjQOJlmCCnup6BboVdChCiE9nYs5ja9zsnG etqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714177413; x=1714782213; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oGIdDIyohqMWS1+LTNeqNA0e3D6+2Sbafg+2khHPRUg=; b=AbUWyf45EAoOlTaXe+qVhV1AZvQXk5ciBvD15HMCVnKUknuHsAEO6a0hTgq7msue3W Kfc7x62Zw0xu/QYx4OxxkvHKAthUgqbhXzwGDmZ6FKXIY98LiENvPATUno6g/v13awAX QCy65wJ7HB6MMYwiH/ezVI5n+65rfH4VTmC006y+O/UGqG0v3PvcqEPzABXHQAGzY/lQ ke3K+0ONNW5Y7447xwjPt1aSlRfXpcuZExWmWkOObR6Lbcb/04hpQDQEF9oMoSNKWy26 Qw6TGKAB0aveAqzhet/joaFrxbu2LWpdCqXIAB1CzeopokgFVCQgrspoLvJLDGnU5aLb OGjQ== X-Gm-Message-State: AOJu0Yw4AeMYQmqQoL87/RDmGiosO8wdYOWuPUZIPBgSd64En/a5gFnU bQ57ktVkJ6Enc5sHrNfNqj9WpjYtnnqK1vqkOzoLHGDYDXpwWWjJBU0tMA== X-Google-Smtp-Source: AGHT+IFKEt8VKf2i4zedMFZmgqF+5PIEGjIxzkeGLY+FjiHf1NVRIcAwbE5DKoNPgNt2N300C6ERiA== X-Received: by 2002:a17:903:1103:b0:1e4:fd4:48d0 with SMTP id n3-20020a170903110300b001e40fd448d0mr4649645plh.62.1714177412998; Fri, 26 Apr 2024 17:23:32 -0700 (PDT) Received: from [192.168.0.10] ([190.194.167.233]) by smtp.gmail.com with ESMTPSA id kh14-20020a170903064e00b001eaade49da7sm3799757plb.212.2024.04.26.17.23.31 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Apr 2024 17:23:32 -0700 (PDT) Message-ID: <5e4dfc8a-6624-414f-bd78-efed275edf28@gmail.com> Date: Fri, 26 Apr 2024 21:23:30 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20240426235211.3718252-1-michael@niedermayer.cc> <20240426235211.3718252-5-michael@niedermayer.cc> <20240427000301.GZ6420@pb2> Content-Language: en-US From: James Almer In-Reply-To: <20240427000301.GZ6420@pb2> Subject: Re: [FFmpeg-devel] [PATCH 5/5] avformat/mov: Check if heif item name is already allocated X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 4/26/2024 9:03 PM, Michael Niedermayer wrote: > On Fri, Apr 26, 2024 at 08:57:02PM -0300, James Almer wrote: >> On 4/26/2024 8:52 PM, Michael Niedermayer wrote: >>> Fixes: memleak >>> Fixes: 68212/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4963488540721152 >>> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer >>> --- >>> libavformat/mov.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/libavformat/mov.c b/libavformat/mov.c >>> index 97a24e6737e..5b8278f736e 100644 >>> --- a/libavformat/mov.c >>> +++ b/libavformat/mov.c >>> @@ -8136,6 +8136,9 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx) >>> avio_rb24(pb); // flags. >>> size -= 4; >>> + if (c->heif_item[idx].name) >>> + return AVERROR_INVALIDDATA; >> >> I prefer to free the old one before the av_bprint_finalize() call instead of >> aborting. > > does the format allow this to be changing ? This code is not supposed to be invoked twice if an iinf box is correctly parsed. It can only happen if a second iinf box shows up after the first and demuxing wasn't aborted, either because the error was ignored, or an infe box within was version < 2. > > because security wise, allowing an attacker to change things is worse > than allowing her to just set it once. A second iinf box could show up after the first was not finished parsing, and as long as it has no names for the items, it would still finish parsing even after this patch. So better just clean old values and keep parsing. Further sanity checks will happen when all the items are turned into something meant to be exported. > > and heif seems to have a rather high density of issues already, judging > from how many of the recent mov issues where in heif code > > thx > > [...] > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".