[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: add sanity check for frame size

[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: add sanity check for frame size

[Leo Izen]

If a frame size is absolutely massive, this can spin the parser as it
attempts to decode a permuted TOC. We add a sanity check here for eight
times the size of the image for an internal frame to prevent malicious
bitstreams from slowing the parser down to a crawl.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
Reported-by: Kacper Michajłow <kasper93-at-gmail.com@ffmpeg.org>
---
 libavcodec/jpegxl_parser.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 68404229a5..e40b4fbf96 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -1315,6 +1315,11 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
     if (get_bits1(gb)) {
         JXLEntropyDecoder dec;
         int64_t end, lehmer = 0;
+        /* parser sanity check to prevent TOC perm from spinning cpu */
+        if (width > meta->coded_width * 8 || height > meta->coded_height * 8) {
+            av_log(avctx, AV_LOG_WARNING, "massive frame detectived, aborting parser\n");
+            return AVERROR_INVALIDDATA;
+        }
         ret = entropy_decoder_init(avctx, gb, &dec, 8);
         if (ret < 0)
             return ret;
@@ -1331,7 +1336,7 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
             lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer));
             if (lehmer < 0 || get_bits_left(gb) < 0) {
                 entropy_decoder_close(&dec);
-                return AVERROR_BUFFER_TOO_SMALL;
+                return lehmer < 0 ? lehmer : AVERROR_BUFFER_TOO_SMALL;
             }
         }
         entropy_decoder_close(&dec);
-- 
2.50.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: add sanity check for frame size

[Kacper Michajlow]

On Tue, 15 Jul 2025 at 20:02, Leo Izen <leo.izen@gmail.com> wrote:
>
> If a frame size is absolutely massive, this can spin the parser as it
> attempts to decode a permuted TOC. We add a sanity check here for eight
> times the size of the image for an internal frame to prevent malicious
> bitstreams from slowing the parser down to a crawl.
>
> Signed-off-by: Leo Izen <leo.izen@gmail.com>
> Reported-by: Kacper Michajłow <kasper93-at-gmail.com@ffmpeg.org>

Please use my real email, instead this wrapped one, thanks.

> ---
>  libavcodec/jpegxl_parser.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 68404229a5..e40b4fbf96 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -1315,6 +1315,11 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
>      if (get_bits1(gb)) {
>          JXLEntropyDecoder dec;
>          int64_t end, lehmer = 0;
> +        /* parser sanity check to prevent TOC perm from spinning cpu */
> +        if (width > meta->coded_width * 8 || height > meta->coded_height * 8) {
> +            av_log(avctx, AV_LOG_WARNING, "massive frame detectived, aborting parser\n");

detected? Also maybe make it more formal like "frame of size %dx%d
exceeds limit of %dx%d, aborting" or something along those lines.
"massive frame" doesn't really tell much.

- Kacper
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: add sanity check for frame size

[Leo Izen]

On 7/16/25 06:34, Kacper Michajlow wrote:
> On Tue, 15 Jul 2025 at 20:02, Leo Izen <leo.izen@gmail.com> wrote:
>>
>> If a frame size is absolutely massive, this can spin the parser as it
>> attempts to decode a permuted TOC. We add a sanity check here for eight
>> times the size of the image for an internal frame to prevent malicious
>> bitstreams from slowing the parser down to a crawl.
>>
>> Signed-off-by: Leo Izen <leo.izen@gmail.com>
>> Reported-by: Kacper Michajłow <kasper93-at-gmail.com@ffmpeg.org>
> 
> Please use my real email, instead this wrapped one, thanks.


Will do.


> 
>> ---
>>   libavcodec/jpegxl_parser.c | 7 ++++++-
>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
>> index 68404229a5..e40b4fbf96 100644
>> --- a/libavcodec/jpegxl_parser.c
>> +++ b/libavcodec/jpegxl_parser.c
>> @@ -1315,6 +1315,11 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
>>       if (get_bits1(gb)) {
>>           JXLEntropyDecoder dec;
>>           int64_t end, lehmer = 0;
>> +        /* parser sanity check to prevent TOC perm from spinning cpu */
>> +        if (width > meta->coded_width * 8 || height > meta->coded_height * 8) {
>> +            av_log(avctx, AV_LOG_WARNING, "massive frame detectived, aborting parser\n");
> 
> detected? Also maybe make it more formal like "frame of size %dx%d
> exceeds limit of %dx%d, aborting" or something along those lines.
> "massive frame" doesn't really tell much.
> 

I read that like four times and still never noticed the typo. Thanks :)

I can change the error message too to something like that.


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".