From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 684704844C
	for <ffmpegdev@gitmailbox.com>; Fri,  2 Feb 2024 23:45:45 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7BE4E68D12E;
	Sat,  3 Feb 2024 01:45:43 +0200 (EET)
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com
 [209.85.128.52])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 439EB68B979
 for <ffmpeg-devel@ffmpeg.org>; Sat,  3 Feb 2024 01:45:37 +0200 (EET)
Received: by mail-wm1-f52.google.com with SMTP id
 5b1f17b1804b1-40f0218476aso7965e9.1
 for <ffmpeg-devel@ffmpeg.org>; Fri, 02 Feb 2024 15:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=chromium.org; s=google; t=1706917536; x=1707522336; darn=ffmpeg.org;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=p++3PO88QEy+SNQ6KkMlhKaOR2eIuGE/Ieh7dR8vXEQ=;
 b=gsaO469rvDbdfjfricuekLDS2b4T/gQirQ+xC3ewO3EwPKCHgsbtZUCbPcOn7+0nju
 NtRUpxVCotvBbJiAoNcdKgKQFUxIOYjLeiDXQg3XhyMrYM/LKks/V98kkt8hjskQY86i
 IVg4GIjutJ2uxYcj8JB25PGeeMXl9BUq+lsuk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1706917536; x=1707522336;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=p++3PO88QEy+SNQ6KkMlhKaOR2eIuGE/Ieh7dR8vXEQ=;
 b=D8B2vOsfgB0KBrDacYXgzwMTDmZIkRZIaD/lo+5PPsJ6jC9VvtEdPWO8Vjdlyu/DwE
 9bvQqYsQxROXMQ74+b/9PyLaiHULDSNvKvDkjGwSQlN63Rt5PYmwR8NcicXSNj5wA5X3
 TBf5tToppAJx8b2NbzoGfwu9JV7o9qwYggbdICCw1u+74+qx9gbepthcKqaxnvn1ryDp
 X53lXD20oDtzOvrvR7wkaPgi9U18p8t+HZFIVPtB45xuMCiJgD95tsaxwDXCLAbbOCQV
 f4lXIwIdgnCJol6x77H/zn1OK7FdfS1b/afH1tsevIOP4DIkTgakPXagyj7XZ469t+JR
 zfAw==
X-Gm-Message-State: AOJu0YyMMdcFowoEH4Ils0JqKKDZsKG0F/hzZe4GYq1yBua9At8nbTwk
 rxJS137v6K0cI6ohOSxdk0Pq7wqLKJTIunYY6Fy+SmMx2dluOApzfu9f+TgktOaLtbMdLsuRBc8
 iI7pSbWtZDEjTpSi7UCa3TB2cEDzi9knImjYEtPrjkzfS13aeDA==
X-Google-Smtp-Source: AGHT+IH2AGDJH3RYdjMNWDCa0XIYy3GMOuRq6Xc31A/LHyGzPIA4tyk3SpbRSukijsaJ7PBMi7QlPbg4GDP8Thuyafc=
X-Received: by 2002:a05:600c:4e16:b0:40f:cc43:1aa5 with SMTP id
 b22-20020a05600c4e1600b0040fcc431aa5mr28427wmq.3.1706917535877; Fri, 02 Feb
 2024 15:45:35 -0800 (PST)
MIME-Version: 1.0
References: <CAPUDrwdO3Tfp68SH7fJCaqp8CKS92_-tPPf3QS20Wt0ubjYzVw@mail.gmail.com>
 <AS8P250MB07447AE5D2E43E094D5DDCEC8F422@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM>
 <CAPUDrwdoMLQvjDE_DQ2h+HQLGbo6LCJM1kqaNaheh64koTQrVA@mail.gmail.com>
In-Reply-To: <CAPUDrwdoMLQvjDE_DQ2h+HQLGbo6LCJM1kqaNaheh64koTQrVA@mail.gmail.com>
From: Dale Curtis <dalecurtis@chromium.org>
Date: Fri, 2 Feb 2024 15:45:24 -0800
Message-ID: <CAPUDrwcdy7-1CeAJ79_btNmuK1v=MHDSJqdbEBnuObT4RJ1aGg@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="000000000000636aaf06106eb5db"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
Subject: Re: [FFmpeg-devel] [PATCH] [mov] Avoid OOM for invalid STCO / CO64
 constructions.
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/CAPUDrwcdy7-1CeAJ79_btNmuK1v=MHDSJqdbEBnuObT4RJ1aGg@mail.gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

--000000000000636aaf06106eb5db
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 2, 2024 at 3:42=E2=80=AFPM Dale Curtis <dalecurtis@chromium.org=
> wrote:

> On Fri, Feb 2, 2024 at 3:20=E2=80=AFPM Andreas Rheinhardt <
> andreas.rheinhardt@outlook.com> wrote:
>
>> Dale Curtis:
>> > +    // Clamp allocation size for `chunk_offsets` -- don't throw an
>> error for an
>> > +    // invalid count since the EOF path doesn't throw either.
>> > +    entries =3D
>> > +        FFMIN(entries, FFMIN(atom.size - 8, avio_size(pb) -
>> avio_tell(pb)) /
>> > +                           (atom.type =3D=3D MKTAG('s', 't', 'c', 'o'=
) ? 4
>> : 8));
>> > +
>>
>> This may call avio_size() and avio_tell() multiple times. Furthermore,
>> is it even certain that avio_size() returns a sane value?
>>
>
> I hope so since there are other usages of avio_size() throughout the file
> in a similar manner. I guess you're saying it may be invalid when
> !AVIO_SEEKABLE_NORMAL? Sticking to just atom.size is also fine.
>

Here's a version of the patch which does just that.

--000000000000636aaf06106eb5db
Content-Type: application/octet-stream; name="stco-clamp-entries-v2.patch"
Content-Disposition: attachment; filename="stco-clamp-entries-v2.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_ls5ambfc0>
X-Attachment-Id: f_ls5ambfc0

RnJvbSBiNzZmNTI2YTAxNzg4YTExZTYyNWViMWQ3ZDcwMDVhMTk1OWRmNzVjIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBEYWxlIEN1cnRpcyA8ZGFsZWN1cnRpc0BjaHJvbWl1bS5vcmc+
CkRhdGU6IEZyaSwgMiBGZWIgMjAyNCAyMDo0OTo0NCArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIFtt
b3ZdIEF2b2lkIE9PTSBmb3IgaW52YWxpZCBTVENPIC8gQ082NCBjb25zdHJ1Y3Rpb25zLgoKVGhl
IGBlbnRyaWVzYCB2YWx1ZSBpcyByZWFkIGRpcmVjdGx5IGZyb20gdGhlIHN0cmVhbSBhbmQgdXNl
ZCB0bwphbGxvY2F0ZSBtZW1vcnkuIFRoaXMgY2hhbmdlIGNsYW1wcyBgZW50cmllc2AgdG8gaG93
ZXZlciBtYW55IGFyZQpwb3NzaWJsZSBpbiB0aGUgcmVtYWluaW5nIGF0b20gb3IgZmlsZSBzaXpl
ICh3aGljaGV2ZXIgaXMgc21hbGxlc3QpLgoKRml4ZXMgaHR0cHM6Ly9jcmJ1Zy5jb20vMTQyOTM1
NwoKU2lnbmVkLW9mZi1ieTogRGFsZSBDdXJ0aXMgPGRhbGVjdXJ0aXNAY2hyb21pdW0ub3JnPgot
LS0KIGxpYmF2Zm9ybWF0L21vdi5jIHwgNyArKysrKysrCiAxIGZpbGUgY2hhbmdlZCwgNyBpbnNl
cnRpb25zKCspCgpkaWZmIC0tZ2l0IGEvbGliYXZmb3JtYXQvbW92LmMgYi9saWJhdmZvcm1hdC9t
b3YuYwppbmRleCBhZjk1ZTFmNjYyLi4yNWU1YmVhZGNmIDEwMDY0NAotLS0gYS9saWJhdmZvcm1h
dC9tb3YuYworKysgYi9saWJhdmZvcm1hdC9tb3YuYwpAQCAtMjIzNyw2ICsyMjM3LDEzIEBAIHN0
YXRpYyBpbnQgbW92X3JlYWRfc3RjbyhNT1ZDb250ZXh0ICpjLCBBVklPQ29udGV4dCAqcGIsIE1P
VkF0b20gYXRvbSkKICAgICAgICAgYXZfbG9nKGMtPmZjLCBBVl9MT0dfV0FSTklORywgIklnbm9y
aW5nIGR1cGxpY2F0ZWQgU1RDTyBhdG9tXG4iKTsKICAgICAgICAgcmV0dXJuIDA7CiAgICAgfQor
CisgICAgLy8gQ2xhbXAgYWxsb2NhdGlvbiBzaXplIGZvciBgY2h1bmtfb2Zmc2V0c2AgLS0gZG9u
J3QgdGhyb3cgYW4gZXJyb3IgZm9yIGFuCisgICAgLy8gaW52YWxpZCBjb3VudCBzaW5jZSB0aGUg
RU9GIHBhdGggZG9lc24ndCB0aHJvdyBlaXRoZXIuCisgICAgZW50cmllcyA9CisgICAgICAgIEZG
TUlOKGVudHJpZXMsIChhdG9tLnNpemUgLSA4KSAvCisgICAgICAgICAgICAgICAgICAgICAgICAg
ICAoYXRvbS50eXBlID09IE1LVEFHKCdzJywgJ3QnLCAnYycsICdvJykgPyA0IDogOCkpOworCiAg
ICAgYXZfZnJlZShzYy0+Y2h1bmtfb2Zmc2V0cyk7CiAgICAgc2MtPmNodW5rX2NvdW50ID0gMDsK
ICAgICBzYy0+Y2h1bmtfb2Zmc2V0cyA9IGF2X21hbGxvY19hcnJheShlbnRyaWVzLCBzaXplb2Yo
KnNjLT5jaHVua19vZmZzZXRzKSk7Ci0tIAoyLjQzLjAuNTk0LmdkOWNmNGUyMjdkLWdvb2cKCg==
--000000000000636aaf06106eb5db
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--000000000000636aaf06106eb5db--