From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 47DB74B716
	for <ffmpegdev@gitmailbox.com>; Thu, 30 Jan 2025 08:15:35 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A06C568BEFB;
	Thu, 30 Jan 2025 10:15:31 +0200 (EET)
Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com
 [209.85.218.48])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 47F5E68BE2D
 for <ffmpeg-devel@ffmpeg.org>; Thu, 30 Jan 2025 10:15:25 +0200 (EET)
Received: by mail-ej1-f48.google.com with SMTP id
 a640c23a62f3a-ab2c9b8aecaso96437066b.0
 for <ffmpeg-devel@ffmpeg.org>; Thu, 30 Jan 2025 00:15:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1738224924; x=1738829724; darn=ffmpeg.org;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=phw2UfYuZnqeQoHHOlxuBTBCCmVgsVedvUEFk2nB4BE=;
 b=Uvo+gF0YbHiNxwZdaM/owrGQbGLTNA/wunHA+UUDYZgOgYsfgC3DSzUn3qF+8zGFJd
 7SDQ199xogpdYfQnGgPtd0crDPU+45W0eAb20nzAAuqkwOnfqOUXS3KNTUC4XAMT6kGj
 Vxjv1XfngcJdBOACchuDzTaOBivUJEQm8Qbj8mw3uduKMVwPnpFemkNWytzuU1atO5me
 0tqE191ohLhX9ubw6gxMb9edoEkBWw4sMC+2XU1bY+SqRLFoiNrPM58uH8G9y9NHqMvs
 TeQbI1uZKxIfZjgTFOns25vDtSm1xeWw1axAJ8t+80xbRCbrxBu1JZ4giQEUyHk33FvW
 Ny8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738224924; x=1738829724;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=phw2UfYuZnqeQoHHOlxuBTBCCmVgsVedvUEFk2nB4BE=;
 b=hNIDixQO5snS4HHGVJFE9C8fy5G3yrzAfCO8hAQKRj+yLYI0bWlVk1IMIU1gZrtrS3
 tGhMIzx1YCL/sj498EnEQ/D260ZJGLbM/FIod/nRfGn9PeCxuLLmOvSe3SvhCt7kbOJz
 i7LeD6dGbGViFGTfthjizbP6xMqCwg6T/WC7KKM2+/5z96L89mIqLEEZ1yFVgBEWKcsg
 shNborerBzUZR2HTGozOhkkLUL2BtK6YJlQkN63pXeOS+OUAtFrrOIpcMCDmpx/lky3p
 /wdjqtPtO4l150c2BxaRW+n9mytTF7z0N85xAT98kcLv+oBIYnq12/RoHKcX4g2oz5Ng
 6LcA==
X-Gm-Message-State: AOJu0YzIL2TIlTM+EMu1yF6xS0HSSciw4cpyXXYJIaZwYw1yDR7j5kDu
 ZYVSpQbqnFJg4pXj4XH/zGa7eK6Wo1OIUiV9extnO91vBFAxSTQz5iEJOsaRKOpPCM20TVMD8Sz
 vEpZev0/tvEShxiRLP1MKIX3r3aQ=
X-Gm-Gg: ASbGncuG++3oi/ytCxmMfNMAIo284l/ovo7npiozrI+pvr68IWZdvz9FohV53IgaPh9
 Zii4d46qjazvwXTilYZNnZL0ulTJrtZF8y5gx4ZAlafEvjcqEzbz5mEyTGW/ZraEufI+ydA==
X-Google-Smtp-Source: AGHT+IH3sbjWYRKkx3axBukuW2Zl9SfDgee/Hj4JgG+l/6xTQ6b1eyjFbXKrkptetes24opzdxlAcSOaL3t58+uA1qI=
X-Received: by 2002:a17:907:7f28:b0:aa6:88c6:9449 with SMTP id
 a640c23a62f3a-ab6cfceaa79mr470305866b.19.1738224924047; Thu, 30 Jan 2025
 00:15:24 -0800 (PST)
MIME-Version: 1.0
References: <20250129195815.100902-1-leo.izen@gmail.com>
In-Reply-To: <20250129195815.100902-1-leo.izen@gmail.com>
From: Kacper Michajlow <kasper93@gmail.com>
Date: Thu, 30 Jan 2025 09:14:51 +0100
X-Gm-Features: AWEUYZnDKdrCoZPiGWI-ZcdG0KSz9hJ2P3NNKjaXD5Fr0YYIGMz3VQoAmCzQmWA
Message-ID: <CABPLASQ55LBwbcRxP+WRKGf3Sp4t00wOc0Pg+Ss94yaHo0pDeQ@mail.gmail.com>
To: Leo Izen <leo.izen@gmail.com>
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/jpegxl_parse{,
 r}: fix integer overflow for some malformed files
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: ffmpeg-devel@ffmpeg.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/CABPLASQ55LBwbcRxP+WRKGf3Sp4t00wOc0Pg+Ss94yaHo0pDeQ@mail.gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On Wed, 29 Jan 2025 at 20:58, Leo Izen <leo.izen@gmail.com> wrote:
>
> If there's a very large ISOBMFF box that needs to be skipped, it can
> cause an overflow for ctx->skip. There's already a safeguard to return
> quickly if ctx->skip > bufsize, so changing ctx->skip to int64_t will
> allow this to happen even if ctx->skip would overflow a signed int.
>
> Several other members are also changed to int64_t to avoid this problem
> in other possible scenarios.
>
> Signed-off-by: Leo Izen <leo.izen@gmail.com>
> Reported-by: Kacper Michajlow <kasper93@gmail.com>
> Fixes: clusterfuzz-testcase-minimized-fuzzer_loadfile-6085331937460224
> ---
>  libavcodec/jpegxl_parse.c  |  5 +++--
>  libavcodec/jpegxl_parser.c | 16 ++++++++--------
>  2 files changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/libavcodec/jpegxl_parse.c b/libavcodec/jpegxl_parse.c
> index 7cfdd3e7d5..022eed322d 100644
> --- a/libavcodec/jpegxl_parse.c
> +++ b/libavcodec/jpegxl_parse.c
> @@ -450,7 +450,8 @@ int ff_jpegxl_collect_codestream_header(const uint8_t *input_buffer, int input_l
>                                          uint8_t *buffer, int buflen, int *copied)
>  {
>      GetByteContext gb;
> -    int pos = 0, last_box = 0;
> +    int64_t pos = 0;
> +    int last_box = 0;
>      bytestream2_init(&gb, input_buffer, input_len);
>
>      while (1) {
> @@ -516,5 +517,5 @@ int ff_jpegxl_collect_codestream_header(const uint8_t *input_buffer, int input_l
>              break;
>      }
>
> -    return pos;
> +    return FFMIN(pos, INT_MAX);
>  }
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index a888e9ae6e..68404229a5 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -155,12 +155,12 @@ typedef struct JXLParseContext {
>
>      /* using ISOBMFF-based container */
>      int container;
> -    int skip;
> +    int64_t skip;
>      int copied;
> -    int collected_size;
> -    int codestream_length;
> +    int64_t collected_size;
> +    int64_t codestream_length;
>      int skipped_icc;
> -    int next;
> +    int64_t next;
>
>      uint8_t cs_buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE];
>  } JXLParseContext;
> @@ -1396,7 +1396,7 @@ static int skip_boxes(JXLParseContext *ctx, const uint8_t *buf, int buf_size)
>      return 0;
>  }
>
> -static int try_parse(AVCodecParserContext *s, AVCodecContext *avctx, JXLParseContext *ctx,
> +static int64_t try_parse(AVCodecParserContext *s, AVCodecContext *avctx, JXLParseContext *ctx,
>                       const uint8_t *buf, int buf_size)
>  {
>      int ret, cs_buflen, header_skip;
> @@ -1489,10 +1489,10 @@ static int jpegxl_parse(AVCodecParserContext *s, AVCodecContext *avctx,
>      }
>
>      if ((!ctx->container || !ctx->codestream_length) && !ctx->next) {
> -        ret = try_parse(s, avctx, ctx, pbuf, pindex);
> -        if (ret < 0)
> +        int64_t ret64 = try_parse(s, avctx, ctx, pbuf, pindex);
> +        if (ret64 < 0)
>              goto flush;
> -        ctx->next = ret;
> +        ctx->next = ret64;
>          if (ctx->container)
>              ctx->skip += ctx->next;
>      }
> --
> 2.48.1
>

Works for me. Thanks.

- Kacper
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".