From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 1F47240414 for ; Mon, 20 Dec 2021 20:48:46 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BA03868AF6E; Mon, 20 Dec 2021 22:48:44 +0200 (EET) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-oln040092070045.outbound.protection.outlook.com [40.92.70.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7E4BD68A2B2 for ; Mon, 20 Dec 2021 22:48:38 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LDSgQ0EXESusjliophs0glVNWW2KlhVlGlrXFdPtGuoE0XF+d80aIDtfXExuTNw31AnFedZpZbtfEVEkmMYjr6UmpM+IqBV2/HYjBJqaeUiMjxaU8ReTnp6GZSmHUA5L57mbtgKhFk7zgLFw/I3FxSucVhh287mzi2+8q1GJJXJ2EPaCX3invyoTFhja0ScaZgNS2Hzho46lid8yuiHZqbh++70H9gfFGzCtr73daJTirmoDrbOBpS8XZmp87x9TSiWtS8PgXggtLaY+k+hS9NpTtN+ptIXaMwnMzeHjOPShuEnE89XxIFvPCXrW4ox860zl3hJzDr2sisHHCICDkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2EC+exYYHi4mArLhyDYVSkFjNSA7+IkLKXoaXcN+E54=; b=A0S1Ug1/t1iFMwtaRr6Ve3fhVaeUeMkYB2uh1L3HocLji93tQZqN2pfyyoj2JSwPin9cRzeo6yW47VAd7dAaWGVRUWLoHCS2qcM+H1OiWwINe99ccOa2/433MmOxblJ+AME7hUaYfqbJvssIqCe1TQi1fOssokppgZBKmjsbjCowNlEslKyB0M8Up6AAGRK+5ihdSknuAgeDoMnJafoNPrjgEp6GMeicFCVj2ezcr3OkUJn0gdDlCmbsp3SB/oZZUIYseCiuao4Dn4CKvB5pucqDn/CPRxRso68e6duVxyNxK6ud/dA7gVjQ7hmPfN8K0PaXW/nrUyolx3eqPIs8gg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2EC+exYYHi4mArLhyDYVSkFjNSA7+IkLKXoaXcN+E54=; b=ItN0BLB2ljXfd9bGMQWkLjmsDrkTMUF7BRVbj04OjPunq1Jp0t3t2VrsdivsuFYvSIQts4Na2p9x5RnIRsnpYNGkJvnN+E6YCvr1UgCIiGAoCcW87A2gY0nEzlljSDt1sH+lzQqw7RnxjnTlxLlOb7KSR5PCtUpMs8qSJJbPFqb6QU27S7Nytn/3PJnZOMOWVkzi3RP1p5k0yx6/3rw8FyL8KIteed9wnZaD5+0XHFwPab/aQTNMzTsifpKvYFKlYHRjCYTkwCZd3+sbZg+EAvPQdwWaRUOvmFhYBzRG+WbdHEhSvopPf4F1Bi8V1PQ5Gq73qw7YF/gkAXy1MTDKYA== Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) by AM6PR03MB4887.eurprd03.prod.outlook.com (2603:10a6:20b:88::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.14; Mon, 20 Dec 2021 20:48:36 +0000 Received: from AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::f0dc:92f5:6bc2:45ca]) by AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::f0dc:92f5:6bc2:45ca%6]) with mapi id 15.20.4801.020; Mon, 20 Dec 2021 20:48:36 +0000 Message-ID: Date: Mon, 20 Dec 2021 21:48:35 +0100 Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20211220204609.199-1-ffmpeg@gyani.pro> From: Andreas Rheinhardt In-Reply-To: <20211220204609.199-1-ffmpeg@gyani.pro> X-TMN: [Ot1zL49L9RSvp8WVNnOV2XHYxJLm14JN] X-ClientProxiedBy: AM6PR04CA0036.eurprd04.prod.outlook.com (2603:10a6:20b:92::49) To AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 85e8f6e4-a4ae-455c-5b86-08d9c3fa184d X-MS-TrafficTypeDiagnostic: AM6PR03MB4887:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: PuM+Kkf7QwrFnxmTBFVpejWyaefaRNEnER0oiKHfHCN5RWR6GOqzBnYnCkH41t+F4ySbPXLAuxxdzSoyMOPK0GvhJdP1NIDE4qgFrwS2RwpBYR5JWpflV4kdovWv6tvHqK3sBcaEO5f9BJwJ8ncRZ7P9GOQGIX7f17NdcM9tylnhHdHVvPy7+HLAaMK2E/5aSUozcHt0eg+RHRSs4V78KaJJXBekp4Q6w9PAiPTBAt1br7z9q14gkerCJCaTprtsj/SdQU7SU0ikfM520ufinTPJZUKkpLGrV7xdbl7wVY8J7ad/Y4z6gUa04ZtL5qpe78L77DffY6yTTEE+K8NkQ9jRvUVwDiihD4MJxjy3WAuexVQs6hUNF6oMYOKd8pJz8k29oiBSm53YC6qUwdZVh8rMRYTnHyHiVnoUA+7Z0p3riZDZLDiilhdG3aEHdM2Cwcr2Nr/PK0GJw3p+8g7MY4/60em7gNJOPQXdjo8Vs7yAROrG9dQNq1GFuYGo7O3jvvVweN1dby6k5eOtCzwcO2HCF8dfzOxs68QD8KDf7+JW28VkWESFSMobYZJKlXdVc6I9Kx9YCIPTTdYtOz7zXQ== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?M1R5MCszVXdhNEx5S1VPejFvNGtGV3dBL0ZQblJwbmZiUU5abkJhaWkrbDRu?= =?utf-8?B?VkJiZzRBSldDMG10M3F3UElyVHRlSTNPVGtVQjNpb0ozSEh0dlB6TlJSSmkr?= =?utf-8?B?Zmc5Z1VYM0ZGcWpMK2N1bk01cXRvZ2hmaEE5eXdCaFBuR3AxTlhiU3NPb25L?= =?utf-8?B?b2JLWEdOeWZNMGtjS1o0S1BOS21GNk9iTTdCNlpQM2xwbSsyRDJzYU9TaEMv?= =?utf-8?B?V01TdTEwS0VFd25vOFV6Nm0yK28yT1ZjQ1gwODh6ejVNMkp3bzJ5M0xEZ1VX?= =?utf-8?B?SGoyYXcrSG9NNG50bjcyd3hiL0txdzRCWldCQ2Z3SDN1WkFYakFHRi9PYXA3?= =?utf-8?B?WFFsZVdCV3hZVEtHbUF3S21YMkNFT09zbklpTERoUnRXWjZKNExhbXY0U1ZX?= =?utf-8?B?clhacEVWVklFNlErZ2UySWgwaGRPQlcrcDEzSENKMnlCSUJzbmlpMGtjRGp1?= =?utf-8?B?ZnpmTUsrSjYvbWQxVGhGdE5wTEhXOHFnMXo2N0hXaDltd21VS0h5UXg2WGwv?= =?utf-8?B?NWx0RjI4RWFwY0M4ZXBFK01tVnBiNGN1ajd2ZXV4VzVtbXlvWjNES29mSStr?= =?utf-8?B?Z3dZYlk4U25MUjFrSzkxY0hBTmpkVW9VMklTeWxRRzVXQ1lpdWc2NUJwUTk5?= =?utf-8?B?UzQxSzdTc25JQXM1ZTYrWUlyaytXekVkUzdsZDZEUDEzcEtISEgwQmJ4QzlU?= =?utf-8?B?NmNZYndESm5PU2trc1EwN2x0NUdJUzNudmtmajFKdzMyWUFWUUpsQ09oaEFU?= =?utf-8?B?V1ZiV0hKWnV2Q21tUlVZV2x3ajRxWll5ZkNkWEprK085ZjB3bHpNZjFNbllI?= =?utf-8?B?QllHaHNpYUpTcGpaMkJwb09DUTFTaCtNYUhWY1JCSEg5N3ZhTytvQWpUZlI3?= =?utf-8?B?VzJjUXhTVnFlSkFLaU1zdUNkbnJrazBFVWlvNXZkS0R2S1NnZHRYT2hnSHQ1?= =?utf-8?B?SVM2VGM5OE5lVmM1cXAxcFlmWnJMOTNIM1k2aTRhRXdCdTBmbFFCaW16RUVs?= =?utf-8?B?ZldYdUN6VVliSlpJdDV0N0FSTzJkNE9nazRBWk02VnRJRnc5UUxabjg5b2Nm?= =?utf-8?B?ekI5STVCelVjdHpvRWc4YWQ5SGN2bGxZYjF4VUxJQldKSm9qalVCb3VXek9D?= =?utf-8?B?dWY5MlE5Tlh2a0ZqRmdFY3lpVlJjUnBYWHdKbWRmM1lkNHlhckZPSDFmWWtv?= =?utf-8?B?QXBSSnBrVmp2YS9zck81WmZ0ZmxoVk9BakdIZE9XWENXYnFNQm9ibUxXbVNv?= =?utf-8?B?MXZ4dUljRWxsNEZ0NUY2eEtmdXZIODYydHl5UW1vWFZYS3R5Zz09?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 85e8f6e4-a4ae-455c-5b86-08d9c3fa184d X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2021 20:48:36.8330 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR03MB4887 Subject: Re: [FFmpeg-devel] [PATCH v2] avformat/mov: abort reading truncated stts X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Gyan Doshi: > Avoids overreading the box and ingesting absurd values into stts_data > --- > libavformat/mov.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 2aed6e80ef..5a7209837f 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -2935,6 +2935,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) > avio_rb24(pb); /* flags */ > entries = avio_rb32(pb); > > + if (atom.size < 8 + (int64_t)entries*8) { > + av_log(c->fc, AV_LOG_ERROR, "Truncated STTS box for st %d.\n", c->fc->nb_streams-1); > + return AVERROR_INVALIDDATA; > + } > + > av_log(c->fc, AV_LOG_TRACE, "track[%u].stts.entries = %u\n", > c->fc->nb_streams-1, entries); > > This might fix the issue with the fuzzer sample Michael gave you, but what would stop the fuzzer (or a malicious adversary) from simply using a gigantic atom size? - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".