From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 633F64965B
	for <ffmpegdev@gitmailbox.com>; Thu, 15 Feb 2024 20:07:31 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 897B468D288;
	Thu, 15 Feb 2024 22:07:29 +0200 (EET)
Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com
 [209.85.128.48])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7D82868D238
 for <ffmpeg-devel@ffmpeg.org>; Thu, 15 Feb 2024 22:07:22 +0200 (EET)
Received: by mail-wm1-f48.google.com with SMTP id
 5b1f17b1804b1-410acf9e776so13955e9.1
 for <ffmpeg-devel@ffmpeg.org>; Thu, 15 Feb 2024 12:07:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=chromium.org; s=google; t=1708027641; x=1708632441; darn=ffmpeg.org;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=HEUkC2UhVO8jgNrNUJrM0PDQLH/xpYwSgnmf8uqCb6k=;
 b=IecFjIw7QOpfEpDOVcaIMdiGwMLwPljD0drFjEn9au9XtgyMRcfVJ4Tfrv35BGgFq+
 LsHBSdJw8VglvYRHC68e8blebxSyXd0CvPUC/jYXfeIwPpBC7PGrIXV/iuOYGiQd/1WY
 MrnccxPozBMjbQo5YBYBz/JtTozj7ADCUGMQY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1708027641; x=1708632441;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=HEUkC2UhVO8jgNrNUJrM0PDQLH/xpYwSgnmf8uqCb6k=;
 b=wqTY9QULxgSkecwQm1aCdAnVnbqqTeCYqYCUyimWHOAKdbiqNZzWdE9aAOepDcNMLi
 hFuTMpTjKdsoinpZEJR5jkjjW7VsGf6xk9uv6wou6Lt8gDcaARxdUcCUlW6p29VqgnBM
 RHyZW0bONGJv2OLDY6IhwIuG68DbjSSVHel3eIJk5IwKHGACmtP02eHVAT7rG6pYcT/J
 bTUFczJi5xdI8TRsLSmBzzLaeS4IZac2aVsOrqI+0hbpfVO2TY68GsrqF0AcIBOucJn2
 f+h+VyYXFTMIVsjyxuZh8URYqQf6TYx/wJluY8OUvXgYZI+spV/1rj9HlMlEj9xZ53lL
 4Liw==
X-Gm-Message-State: AOJu0Yw5mQ+v79Ft4llys0xVfqFAG4iXPt57f02uq33k5eAvUXorhieZ
 dFQBJ9VuOhxglZROS2PvxJw3NN5lwhhnA8AmRwkvADwu80Q+wUhlZCwCGzn7I8YTeMDhqishHI+
 picQGJSUXUN/0a323zWK6N09RtmUsOdcnghq85b8k/HsqXm1k8g==
X-Google-Smtp-Source: AGHT+IHRl++lNUGBiYJ+ZZ8eo3mq5SIGXJrbRQhmPCtBQS6nYkghvBxbuTVKFadL/tl+xD5db3p3qCWcE1xtHYCvAMM=
X-Received: by 2002:a05:600c:a39e:b0:411:f6b6:faf5 with SMTP id
 hn30-20020a05600ca39e00b00411f6b6faf5mr44168wmb.3.1708027641198; Thu, 15 Feb
 2024 12:07:21 -0800 (PST)
MIME-Version: 1.0
References: <CAPUDrwdO3Tfp68SH7fJCaqp8CKS92_-tPPf3QS20Wt0ubjYzVw@mail.gmail.com>
 <AS8P250MB07447AE5D2E43E094D5DDCEC8F422@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM>
 <CAPUDrwdoMLQvjDE_DQ2h+HQLGbo6LCJM1kqaNaheh64koTQrVA@mail.gmail.com>
 <CAPUDrwcdy7-1CeAJ79_btNmuK1v=MHDSJqdbEBnuObT4RJ1aGg@mail.gmail.com>
 <20240205200736.GS6420@pb2>
In-Reply-To: <20240205200736.GS6420@pb2>
From: Dale Curtis <dalecurtis@chromium.org>
Date: Thu, 15 Feb 2024 12:07:05 -0800
Message-ID: <CAPUDrwebThi7Re5GHdAK5u_DmrhuU5mktTFFsWcYXa8GXRob=w@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="000000000000d26da80611712c86"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
Subject: Re: [FFmpeg-devel] [PATCH] [mov] Avoid OOM for invalid STCO / CO64
 constructions.
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/CAPUDrwebThi7Re5GHdAK5u_DmrhuU5mktTFFsWcYXa8GXRob=w@mail.gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

--000000000000d26da80611712c86
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 5, 2024 at 12:07=E2=80=AFPM Michael Niedermayer <michael@nieder=
mayer.cc>
wrote:

> assuming atom.size is an arbitrary 64bit value
> then the value of FFMIN() is also 64bit but entries is unsigned 32bit,
> this truncation
> would allow setting entries to values outside whats expected from FFMIN()
> also we seem to disalllow entries =3D=3D 0 before this
> and its maybe possible to set entries =3D 0 here, bypassing the =3D=3D 0 =
check
> before


Thanks. I've moved the clamp up to before the zero check. The only way a
bad 64-bit value could get in is if atom.size < 8, which I didn't think was
possible, but I've added a FFMAX(0,) there too.

- dale

--000000000000d26da80611712c86
Content-Type: application/x-patch; name="stco-clamp-entries-v3.patch"
Content-Disposition: attachment; filename="stco-clamp-entries-v3.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_lsnni03e0>
X-Attachment-Id: f_lsnni03e0

RnJvbSBkYjNlOWZmYzM2NGNjOTRjYjNhNzI2OTZkNGQ0ODU4YWY2YWJjYzQyIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBEYWxlIEN1cnRpcyA8ZGFsZWN1cnRpc0BjaHJvbWl1bS5vcmc+
CkRhdGU6IEZyaSwgMiBGZWIgMjAyNCAyMDo0OTo0NCArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIFtt
b3ZdIEF2b2lkIE9PTSBmb3IgaW52YWxpZCBTVENPIC8gQ082NCBjb25zdHJ1Y3Rpb25zLgoKVGhl
IGBlbnRyaWVzYCB2YWx1ZSBpcyByZWFkIGRpcmVjdGx5IGZyb20gdGhlIHN0cmVhbSBhbmQgdXNl
ZCB0bwphbGxvY2F0ZSBtZW1vcnkuIFRoaXMgY2hhbmdlIGNsYW1wcyBgZW50cmllc2AgdG8gaG93
ZXZlciBtYW55IGFyZQpwb3NzaWJsZSBpbiB0aGUgcmVtYWluaW5nIGF0b20gb3IgZmlsZSBzaXpl
ICh3aGljaGV2ZXIgaXMgc21hbGxlc3QpLgoKRml4ZXMgaHR0cHM6Ly9jcmJ1Zy5jb20vMTQyOTM1
NwoKU2lnbmVkLW9mZi1ieTogRGFsZSBDdXJ0aXMgPGRhbGVjdXJ0aXNAY2hyb21pdW0ub3JnPgot
LS0KIGxpYmF2Zm9ybWF0L21vdi5jIHwgOCArKysrKysrLQogMSBmaWxlIGNoYW5nZWQsIDcgaW5z
ZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL2xpYmF2Zm9ybWF0L21vdi5j
IGIvbGliYXZmb3JtYXQvbW92LmMKaW5kZXggYWY5NWUxZjY2Mi4uMWU0ODUwZmU5ZiAxMDA2NDQK
LS0tIGEvbGliYXZmb3JtYXQvbW92LmMKKysrIGIvbGliYXZmb3JtYXQvbW92LmMKQEAgLTIyMjgs
NyArMjIyOCwxMiBAQCBzdGF0aWMgaW50IG1vdl9yZWFkX3N0Y28oTU9WQ29udGV4dCAqYywgQVZJ
T0NvbnRleHQgKnBiLCBNT1ZBdG9tIGF0b20pCiAgICAgYXZpb19yOChwYik7IC8qIHZlcnNpb24g
Ki8KICAgICBhdmlvX3JiMjQocGIpOyAvKiBmbGFncyAqLwogCi0gICAgZW50cmllcyA9IGF2aW9f
cmIzMihwYik7CisgICAgLy8gQ2xhbXAgYWxsb2NhdGlvbiBzaXplIGZvciBgY2h1bmtfb2Zmc2V0
c2AgLS0gZG9uJ3QgdGhyb3cgYW4gZXJyb3IgZm9yIGFuCisgICAgLy8gaW52YWxpZCBjb3VudCBz
aW5jZSB0aGUgRU9GIHBhdGggZG9lc24ndCB0aHJvdyBlaXRoZXIuCisgICAgZW50cmllcyA9Cisg
ICAgICAgIEZGTUlOKGF2aW9fcmIzMihwYiksCisgICAgICAgICAgICAgIEZGTUFYKDAsIChhdG9t
LnNpemUgLSA4KSAvCisgICAgICAgICAgICAgICAgICAgICAgICAgICAoYXRvbS50eXBlID09IE1L
VEFHKCdzJywgJ3QnLCAnYycsICdvJykgPyA0IDogOCkpKTsKIAogICAgIGlmICghZW50cmllcykK
ICAgICAgICAgcmV0dXJuIDA7CkBAIC0yMjM3LDYgKzIyNDIsNyBAQCBzdGF0aWMgaW50IG1vdl9y
ZWFkX3N0Y28oTU9WQ29udGV4dCAqYywgQVZJT0NvbnRleHQgKnBiLCBNT1ZBdG9tIGF0b20pCiAg
ICAgICAgIGF2X2xvZyhjLT5mYywgQVZfTE9HX1dBUk5JTkcsICJJZ25vcmluZyBkdXBsaWNhdGVk
IFNUQ08gYXRvbVxuIik7CiAgICAgICAgIHJldHVybiAwOwogICAgIH0KKwogICAgIGF2X2ZyZWUo
c2MtPmNodW5rX29mZnNldHMpOwogICAgIHNjLT5jaHVua19jb3VudCA9IDA7CiAgICAgc2MtPmNo
dW5rX29mZnNldHMgPSBhdl9tYWxsb2NfYXJyYXkoZW50cmllcywgc2l6ZW9mKCpzYy0+Y2h1bmtf
b2Zmc2V0cykpOwotLSAKMi40NC4wLnJjMC4yNTguZzczMjBlOTU4ODYtZ29vZwoK
--000000000000d26da80611712c86
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--000000000000d26da80611712c86--