From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 7D56B402F8 for ; Wed, 23 Mar 2022 11:07:35 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E98C468B1EB; Wed, 23 Mar 2022 13:07:33 +0200 (EET) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-oln040092074102.outbound.protection.outlook.com [40.92.74.102]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DFE4B68B0B9 for ; Wed, 23 Mar 2022 13:07:27 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rgqjcnoz4f5Uyi9uKVCB1SfX9tvpex4iR75ZG8MIZ53H5PzICKY0c2ddy1KLH/wzTYUl6NPm9cWniqlrYgrDrfIoFdXyFAFhjOO60QGMV0xO52x8Q5kGMUKIAJvX7TyLnFWCYkjSDZwt0YiUTW1EJyW8f35+oTLtaftkpdWU3kUdAcvYEYPJHv2bu8JrLsPzC3qcSEUxEDhsvb/jNTlr/XN/5oyuYITpNiG2jMlExiSWcEGWRVPyd2BOtLtgBoHQgMChOR5nPaJXKU9odSTzLHeRzpi3wnuYK3sXZyoRWVBHsGNd9maGgVFcsT7Xp0kUKNz2nFswTbtgAUO3o3BASw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sFg2lg9WSLHtQJCVOjHYlXcr+z2j4RxkG89p80+m3GA=; b=DyDhRKnoZSOFOgdsIotiiIBwhRwPRBUWpyzxmvukiOK1KUg+BGcK6+aaPVj64UyBsKXQzdZze7XW2ImqFPe87ED0jqg20euiW/DWmpqY/wHO4q334dIStpWoIksORGPEFkvFKDM6TLKWwsvsyjrxE1uJL/51H0ReBFlTINm55v34Xujmsz/sIzvZ0Vqb12tH2M48YVNe5qCNf6GHU2DvxvIvpB+4TFecHlfbjmqgNowhKytU1gbYojpsIs/dCqrOz+DbksPPZ4xy5DZjEQlAC8AJwPvf6k88keniH+/LAn8MJqSa6pqvnm54qWA5PX92+An5nn7uAZUXm0J5TaDo5w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sFg2lg9WSLHtQJCVOjHYlXcr+z2j4RxkG89p80+m3GA=; b=Kp7PpFPNcXccMnKAmQyV9frziVV0PuwSh8rjr5C3pgyq4rDyxGRSjDXXdUAvKNJwZqc7egeIDGXqDwscSUsTNJTuHjv7mU48Jtp2uOYXfVKKtnghN0fNAVNtOgwGPe8elxRN9RLAiGPOhNPg40dakSurBiaJ7t4VPb6mDrkqK/xAQs8B+V+h/7WNgt1BvteUDDwfSwRVKW42WYFzG4kV5V/xZCz6MNZ079R9zoJwM3zUthQOorpTlSEDi0jODSMRdLySUCZJPyMgij4/eyebCvcpRAVuZmLu/J1uAyL70CgCrR8Zle5r0cYnN/fqntrV1iEipvfg7OIBi9dE2MCndg== Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) by VI1PR01MB5069.eurprd01.prod.exchangelabs.com (2603:10a6:803:91::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.19; Wed, 23 Mar 2022 11:07:26 +0000 Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8]) by AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8%3]) with mapi id 15.20.5081.022; Wed, 23 Mar 2022 11:07:26 +0000 Message-ID: Date: Wed, 23 Mar 2022 12:07:25 +0100 Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20220323093033.24577-1-michael@niedermayer.cc> <20220323093033.24577-2-michael@niedermayer.cc> From: Andreas Rheinhardt In-Reply-To: <20220323093033.24577-2-michael@niedermayer.cc> X-TMN: [Yk5dkZlvty3my1ZDwMLMoPrhgcEZezhV] X-ClientProxiedBy: AS9PR06CA0131.eurprd06.prod.outlook.com (2603:10a6:20b:467::6) To AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) X-Microsoft-Original-Message-ID: <5af42f7f-396d-2b7c-755d-f0ad785eff86@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: df11daa6-b527-4c60-41e1-08da0cbd505a X-MS-TrafficTypeDiagnostic: VI1PR01MB5069:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zBZoRaKiurvv8yh7EZ7EiH2srL5kBNZYtTGsIUfN5zzfwH5H/CNiK8ALF3GV18v9N+zv3ogA130ZYrkRra6Xta8UPlqt9pznrgNiRyD6hJiiVSCEUlL9UI1E3TRyDVOYJ391JmtvEDatMQ1ITtJMYmq3BFee9PrpB0prn8R3YVhpPX1JlinJDGvnyrDIXDo9t6NbdxaD4wlwIp41U7uUZlBPgk6FRJLCwwVPRTmxaGUlmfdgcGGUplX73ixkv/2S8DJa7b/MMqIk3HzzsSaZ48Vy+od9Z1666PKzBYraw2yQShTzkkFsyzuihe9eqsLhdErT5sEBCjC1AuWlzKYKlbIC28IDXEKZnFK64xZZmX+XYQ8SRiRKk1UEEFgedKw+MVH7dA8OB6fSDxxbEsiKx4WZLnYV6bUnMv+TAb0/X4tqrJPbT6YhErQ1PBIugH0+nAjgiatMtauRvrxk0kiAPrBRAS7OELeIUT2DQNj2Nj1SEv9OtRPrpHGe8gBROqG7XaJzdoMbsDOrGDjdl/4O+/ihBOcs6VyS/IXdMm1P4HhcjjN32oLqiMHUqa4wNXvL+ZFbOf0JdafBwHScXaIFjTrfAnjefrMlitW7r+kD2+i/K+ejXPpx0QX/WaSjWEZB X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ZlFPMjUySUNQV0g0Q1M2NkQrbVg5eGE0TGpHc0xLdlNCRmNzL1dmL2RYNU43?= =?utf-8?B?SThBWkJYTDlEMmRGTXQveVVnN0tTdnY1aGhSNWRnNDE2UWxPd1NnUExOeTBZ?= =?utf-8?B?cDNBS000TjB4NjFIZE9Jai9wUnRvVTJPMkdKN3ZHdEwvSFVjclJYYkxZVlRD?= =?utf-8?B?T1JIdS9KUDFMNUJuWmNMcTJuOFl1blNpWHZkSnRRckZhRlRUTXBibzIya3RF?= =?utf-8?B?RWIrbS8yU25pQk9pTkFSQXUzY3MyRmxiNzhjc3ZLd3MzS3dDZmJFbW9ydEgy?= =?utf-8?B?K094LzMrODArREhycHJ2ZXd1ZmR6d2tPOEdIdE1rc2VrUXVCUkFIa3VQdUly?= =?utf-8?B?RUI0V05nNVpzbHJZTGxvYXZvMVRSQW1jaXFrY2htYXN3dU5wd3crbCthNSs3?= =?utf-8?B?MWVLblgyYlZ2L0lLeDVqc2dkYStkbWZpODl1aEVLY05KQW51UUtRQm94UC9a?= =?utf-8?B?a0kyT2x6VlRyTjVFYTlkNUtoOS9kTFFxWmtYZEs0cmNhWlVCWkpFTzlRRDMy?= =?utf-8?B?RFZwNXI5Nk1KVzF4TDFNZTRqOUN5aXZmZjNUb2J2Nkh3RWhWT0E5S2VTZXpU?= =?utf-8?B?M3ltaVhEMzlFZ0hyd2IzemtJQktsbC9vVU9XNEpYSGVGQldWNE1ZNzVXN09D?= =?utf-8?B?bkR2bkVwYVJ3a1Z1RFpBc0VaMWlPZGF4dFJVVHBSa05xZHpTTmZrWEg1alAx?= =?utf-8?B?SzV6LzZqNjVvWllnNWZWdGpyd3BJWWIyVEJCMzBzTUZ6ZC81aWtza2lkdXNT?= =?utf-8?B?TCtwdjVxTExTUllXY3o0WHRUaEJqbStOZlhIcFNrazUyTGRzajJ1SG9Leng4?= =?utf-8?B?WmxBRjNUUUkrWmpjUm51cUJ6dVVURE9FV1R5NEl4NDNTQmY0dXdpemIyYlBh?= =?utf-8?B?N0Q1SjRVZnU3ZVIzNlUwVUttZjA1MjF2aTlVcTFLY3FDejFkRWNiRkZWRVY5?= =?utf-8?B?dWIzdzFBRkFFRGpmT2ZvQkt1L1ljdEN1QTlBWktFeDVQN3Z3VGRMUUFkZ0J3?= =?utf-8?B?Tkh1dllNdnE3K3lXWDJPTldTaXBsZ253SFVwcGgxU0NVaXB4TWV2bDJhT2Q3?= =?utf-8?B?cmJIMmxxeWNPYVJVbGV1ejY0MWhBdWJZNkNDUUVBMlRDKzFpRGo1TW9HZHUy?= =?utf-8?B?YktGYW5kbWJ3TXJJbVNWdzlxNXNQeGtEcjRVSjdiSGpKTE12SVJkKzArcFJZ?= =?utf-8?B?YkVOc3JWdkFLL3dQdnVsNU9sNGliMFgvV0VvdXhXNTBpOUlVTFFyY1hGcnlT?= =?utf-8?B?UVJ5QmZncVZSNlBWWTcrdW9KNkt5RFRsWmpFd29hVGFtcWMyZUFNZU8rekZC?= =?utf-8?B?N2JDTmZyK2FUQzA3aE1JUTJiRGIwMC9EU0Z1d2NGZFFtVVBjTzh3enp2eXJ1?= =?utf-8?B?dDdndllHK1paQjVTL2VOS3RnTE9kaEZBK3hxaVExN20zb3J5VitjTEtra2p0?= =?utf-8?B?bHkvOU5WQzVuQnY2TVFhRTV3djNPbmRmMVVqd3dubjRFTkM1WjVrNE5Xd2JB?= =?utf-8?B?KzNRSkp0eXdHdzlIa1JFeXlQVjY3WjlxOWRpSnJyYVo5cjIzaWFWbkJ3aWhx?= =?utf-8?Q?O68zBLtLjQP4N5fkb1vykXk+c=3D?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: df11daa6-b527-4c60-41e1-08da0cbd505a X-MS-Exchange-CrossTenant-AuthSource: AS1PR01MB9564.eurprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Mar 2022 11:07:26.4509 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB5069 Subject: Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: check allocated size for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavformat/aiffdec.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c > index 3634bb4960..c2b8e0dede 100644 > --- a/libavformat/aiffdec.c > +++ b/libavformat/aiffdec.c > @@ -72,7 +72,12 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) > /* Metadata string read */ > static void get_meta(AVFormatContext *s, const char *key, int size) > { > - uint8_t *str = av_malloc(size+1); > + uint8_t *str; > + > + if (size == INT_MAX) > + return; > + > + str = av_malloc(size+1); > > if (str) { > int res = avio_read(s->pb, str, size); If a size of INT_MAX is legal, then you can just use "size + 1U" to avoid the wraparound. (The allocation will then fail with the default value of max_alloc_size and in this case the avio_skip() will be executed, so that we don't lose sync (your patch does that).) Looking at get_tag() shows that the size actually comes from a uint32_t which gets truncated to INT_MAX if it is not representable in an int. I don't know whether the specs mandate this behaviour (probably not, so one loses sync). If one wanted to impose an arbitrary limit, I will use something much smaller than INT_MAX. - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".