From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id F13EF41052
	for <ffmpegdev@gitmailbox.com>; Sat, 14 May 2022 10:38:40 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2969968B3D6;
	Sat, 14 May 2022 13:38:38 +0300 (EEST)
Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com
 [209.85.128.174])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C765F68B292
 for <ffmpeg-devel@ffmpeg.org>; Sat, 14 May 2022 13:38:31 +0300 (EEST)
Received: by mail-yw1-f174.google.com with SMTP id
 00721157ae682-2ec42eae76bso111951757b3.10
 for <ffmpeg-devel@ffmpeg.org>; Sat, 14 May 2022 03:38:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=fs49d2VyvEmpT/3kNoI9v4AyUddiyDAb9u3sPLYmQSQ=;
 b=pcOFNVzA8vehnir4pAvRYgLR7Z8/rKx2a61o54TSuQw+R0YGhB8jFTtkj8K2DFVrtC
 zefE3MSO+F/jNI0Tpl/G8ccEe8mQXl18iUj0wdddDefSxavkmcngtjTPlTBToISdegQd
 43Ejvshsm5SBb6+0wFbxUAAqG/A43KCx7Np1zm+pdWjzouEwCGMg20HnScfM51xExvXC
 mLnxCpob8y1lQk+Ju8/1emasM041OdcHzngsTybtrRuqaxsPTeXUny1i32NsgmCw9eQQ
 f8yI8nGzvuIxWRwDIEAWRr1M47PhPhWiKQ+vX0b6DvT68v8VyfTC+yaVEQ41qPX34BSz
 PsKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=fs49d2VyvEmpT/3kNoI9v4AyUddiyDAb9u3sPLYmQSQ=;
 b=JA/mtfoPmiYIBaIyAYLnn2NfirDywBzJ6+vXManLH4p2Nzhpo5mYoWB3Ko2+XSFQQk
 +d83CvJejCzs0GLpkGzNH35ezAbgv046HCMdE/4O6KIPuTb5pyrMe9gibptxvCnlAqKD
 /+rI9iBFQkdJuKyT9xAy622MwHhyDvG4gcz28wjPou02XN5ozXURNLFm4AkxwImxPEcB
 pzbrZ5744BGFIIrYEnkg0KgdlAqfdJRbIi8nGskF7eimOVulOKIDGhHDznTMNy33sLnA
 nWBlcDQB4hR5tHKXrBtvI8bocJ5unfgtm96w+FyUF/oaAaazaEatpzgP08lkaC+vUq3r
 P6Ig==
X-Gm-Message-State: AOAM531w0blmftcCuHiUX6ec6bKmgdhvje5qThYq/iG0M/sw5VG/7JXX
 EKMx3Nw1hBabDbdwBwS4T0nBTVJtb8AHyU2S1v46Riqa
X-Google-Smtp-Source: ABdhPJyWNFHyF23m9KTnFepEMYyrCWwZk+wbb562aWorJAV4mEitLlLRkv9v6EGAF92S3A22DjI95H0rZokaMa9ZJtQ=
X-Received: by 2002:a81:2185:0:b0:2f1:de50:5ecb with SMTP id
 h127-20020a812185000000b002f1de505ecbmr10346594ywh.40.1652524710181; Sat, 14
 May 2022 03:38:30 -0700 (PDT)
MIME-Version: 1.0
References: <20220512153019.66066-1-hello.vectronic@gmail.com>
 <20220512153019.66066-2-hello.vectronic@gmail.com>
In-Reply-To: <20220512153019.66066-2-hello.vectronic@gmail.com>
From: Paul B Mahol <onemda@gmail.com>
Date: Sat, 14 May 2022 12:41:07 +0200
Message-ID: <CAPYw7P7ZzBNYv=3_ZW2d2MHn_EEiSF=qc+vDpG-ODBE-iw3xaQ@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
Subject: Re: [FFmpeg-devel] [PATCH 1/1] fix: use declared size for attribute
 of type string to ensure full value used and prevent parse failure for
 string lengths longer than 256
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: vectronic <hello.vectronic@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/CAPYw7P7ZzBNYv=3_ZW2d2MHn_EEiSF=qc+vDpG-ODBE-iw3xaQ@mail.gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On Thu, May 12, 2022 at 5:31 PM vectronic <hello.vectronic@gmail.com> wrote:

> Signed-off-by: vectronic <hello.vectronic@gmail.com>
> ---
>  libavcodec/exr.c | 32 +++++++++++++++++++++++---------
>  1 file changed, 23 insertions(+), 9 deletions(-)
>
> diff --git a/libavcodec/exr.c b/libavcodec/exr.c
> index 8cd867a32f..bc2afcee53 100644
> --- a/libavcodec/exr.c
> +++ b/libavcodec/exr.c
> @@ -1912,10 +1912,13 @@ static int decode_header(EXRContext *s, AVFrame
> *frame)
>              continue;
>          } else if ((var_size = check_header_variable(s, "writer",
>                                                       "string", 1)) >= 0) {
> -            uint8_t key[256] = { 0 };
> +            uint8_t *key = av_malloc(var_size);
>
> -            bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1,
> var_size));
> -            av_dict_set(&metadata, "writer", key, 0);
> +            if (!key)
> +                return AVERROR(ENOMEM);
> +
> +            bytestream2_get_buffer(gb, key, var_size);
> +            av_dict_set(&metadata, "writer", key,
> AV_DICT_DONT_STRDUP_VAL);
>

var_size can be very big number, potentially causing attacks vectors.


>
>              continue;
>          } else if ((var_size = check_header_variable(s, "framesPerSecond",
> @@ -1937,9 +1940,12 @@ static int decode_header(EXRContext *s, AVFrame
> *frame)
>              continue;
>          } else if ((var_size = check_header_variable(s, "type",
>                                                       "string", 16)) >= 0)
> {
> -            uint8_t key[256] = { 0 };
> +            uint8_t *key = av_malloc(var_size);
> +
> +            if (!key)
> +                return AVERROR(ENOMEM);
>
> -            bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1,
> var_size));
> +            bytestream2_get_buffer(gb, key, var_size);
>              if (strncmp("scanlineimage", key, var_size) &&
>                  strncmp("tiledimage", key, var_size))
>                  return AVERROR_PATCHWELCOME;
> @@ -1970,7 +1976,6 @@ static int decode_header(EXRContext *s, AVFrame
> *frame)
>          {
>              uint8_t name[256] = { 0 };
>              uint8_t type[256] = { 0 };
> -            uint8_t value[256] = { 0 };
>              int i = 0, size;
>
>              while (bytestream2_get_bytes_left(gb) > 0 &&
> @@ -1987,9 +1992,18 @@ static int decode_header(EXRContext *s, AVFrame
> *frame)
>              bytestream2_skip(gb, 1);
>              size = bytestream2_get_le32(gb);
>
> -            bytestream2_get_buffer(gb, value, FFMIN(sizeof(value) - 1,
> size));
> -            if (!strcmp(type, "string"))
> -                av_dict_set(&metadata, name, value, 0);
> +            if (strcmp(type, "string") != 0) {
> +                bytestream2_skip(gb, size);
> +
> +                continue;
> +            }
> +            uint8_t *value = av_malloc(size);
> +
> +            if (!value)
> +                return AVERROR(ENOMEM);
> +
> +            bytestream2_get_buffer(gb, value, size);
> +            av_dict_set(&metadata, name, value, AV_DICT_DONT_STRDUP_VAL);
>          }
>      }
>
> --
> 2.32.0 (Apple Git-132)
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".