From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id C87A946907
	for <ffmpegdev@gitmailbox.com>; Sat, 24 Jun 2023 19:13:55 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1C7E568C156;
	Sat, 24 Jun 2023 22:13:52 +0300 (EEST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05olkn2105.outbound.protection.outlook.com [40.92.89.105])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1938368B20A
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Jun 2023 22:13:45 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=FUjngPdJmnlvQYSMsmWytXq8kGiFi+VuTjyNPoRmn7EKz32wCqL+puDYhXNCnH4nXK3W2jszI0ljhsgPSMuRCEKgN2s74W9v9OhI7M1iY4Ep/nY+PDlKOR/JcHhTBl/gr+8jhBOLkBLbJgMHeT9o0yPip/jfXtDo89m6Fb/TYCyUBZs+DqNm1gtvvIx+eGQWeoJt909cfD6yJPGsyekl7rs8kFr3gyxb+LnA8LyRLrpFrF/lHKyREvJm84HCxMFr3ppTpC2Zh5IpsEo5CuQE5bFnRnAd2GGcCRq9D+edhRiGqTrwHizoOjg3ysTYBde+1iAoezZ115fYwkXq32WUaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=DLfyKI6AnbUsXB3oCDTUX9y2xd2uRoD5UEcMCfG9XT0=;
 b=MPrlbIB1HnV65NRmEzUcF+hVk3LbLMJYmkOp6IWB1tzDliTfwFjcbBaN62ju3BCl/kdwMe/BvYhQmwQIbB6tsmqaSRhi8jZEpMaEXDOY+JqQ0dXFUimHwkCJhqtxGlvG1+MI82TukKl/HcAG1NboLeksQkuN4NQ8tuXKSOkzSAMc+1blwbwK6uvFiCAZDYVCWRE7lChYYYETSYzDizB2PCInkBC219SzcVOwXfpxQ73btDzCDKcD9kemOJiGCPQJRWSpEnhUHYjNZE4ws+Ol+ZADAckWAt0YJi9URhp10J7Rsx25XevMPO14W1fV89TSPKHW8eEzbs28TdLQBV1wwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=DLfyKI6AnbUsXB3oCDTUX9y2xd2uRoD5UEcMCfG9XT0=;
 b=gxkWSjp3846FHdJPefkLcFRJ7oEuW8H1DkhaLrxINQK/DPIKzLeGoBYUV/z+LdAccINcaeBIRNlXD/OU+2YwqqizT1TnTs5IX6qRKcnfTNHgeuJ9wf36x6Fm/n8SV4Ht/rBY2E7442HIXC9py06qsh0B8CN1/HRiMB65eIDm2wLfLkH73zKiEF6LwHf1t9W7V7GVldbLE+XfRlcVq8xMc+2pCZlivJpEIZ109sVJpT/jOo6LMJ3sshG60tTyqq4vc3mUxP2yooQVGiw8n49w2Vq8yJNLbH0JsEkh0+CPZacJdke9WOTufDUd265GgHg0XZyyYMz+2vjqOy/iScUuTA==
Received: from GV1P250MB0737.EURP250.PROD.OUTLOOK.COM (2603:10a6:150:8e::17)
 by DU2P250MB0270.EURP250.PROD.OUTLOOK.COM (2603:10a6:10:27b::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.23; Sat, 24 Jun
 2023 19:13:43 +0000
Received: from GV1P250MB0737.EURP250.PROD.OUTLOOK.COM
 ([fe80::5ed5:2c98:b8f2:616d]) by GV1P250MB0737.EURP250.PROD.OUTLOOK.COM
 ([fe80::5ed5:2c98:b8f2:616d%7]) with mapi id 15.20.6521.026; Sat, 24 Jun 2023
 19:13:43 +0000
Message-ID: <GV1P250MB073784D7F59998C2647EA43F8F20A@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM>
Date: Sat, 24 Jun 2023 21:14:53 +0200
Content-Language: en-US
To: ffmpeg-devel@ffmpeg.org
References: <20230622003038.20969-1-michael@niedermayer.cc>
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
In-Reply-To: <20230622003038.20969-1-michael@niedermayer.cc>
X-TMN: [hrjXt8rNbaLvUWto673SB/UrGdoiJUar]
X-ClientProxiedBy: FR0P281CA0149.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:d10:96::16) To GV1P250MB0737.EURP250.PROD.OUTLOOK.COM
 (2603:10a6:150:8e::17)
X-Microsoft-Original-Message-ID: <f5381adc-fb74-f50c-a65c-26c4fd53214c@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GV1P250MB0737:EE_|DU2P250MB0270:EE_
X-MS-Office365-Filtering-Correlation-Id: bf22a3bd-6f1c-4e4f-87e2-08db74e7203d
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: x+LCK1AtcF/58grFj7xBTxvvBsvzQUiAMVLesz0QBFsR1dLQyR1LZZPAiV3Q8+NjOIzSGd6BseKVo485rJSQIDriLVgDWdbsIUgZcymKZuQG/y03W46hEA8viX7vDMTkSXFVAfE/7wu6yb0GaJgdqs5JUyFhJ7MPu68TJ55QDV6Cel1mXTcPY6qjFkZrhwnfTkh3KDCH7Gw7TAVccFatAIbahEmGJ7lqYL2z5R6+H+YdyBoeNvSkiID+YsLBFF1Fkdoor1oF82tnZuqg9kcuIZ/eeOUcwnoV3tZRaXpQfkNNS+6XoGdT+6EWZH9CNqJ3C4yQvYKQd7tEuYYJFshdxQirtd0HI1sjPfmPyMxwGV8tnyKzIbo7++/Lm5o64V95kOklG5YKWp7+2UTHaI8zs5qV6HSIdSmFW7LXpxBT7/97rTrbj5PDqcH/CRWDmpeR7YOeqGRjh3PlctBB4Gz9jieJFMtiy4ykf2EnXrSo9iSYJxdB7p22/cIXtBdzDAYMJTu+pfMHqLDkXn02eyZsXdGCyEgSfPgSyUewJdYX2tg2bQ+03hCGlCGCcIq/9p71
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VnFGQndYa2ozZW1iQS9iYVR3SUExQ29Lb0RSWHlyaWJuY2Q5c29RWUJhWDlL?=
 =?utf-8?B?MFJGMTI2U0NPU0VvVmx4Z1l2U1N6NzB3aFhIR09ReXJlNjgwckpVYVFmWHZ1?=
 =?utf-8?B?bmdwQkdLSTdnMC9ScW5senNUZGZvcWZuU0c2c2h6eGlESk9tQVdvYkFSajhy?=
 =?utf-8?B?TG5DVFltZ0sxdnJOSW5UUVl1Z2J6WWJlZ2tmMlZIYjYxa2g1ZFZzSUowY1h6?=
 =?utf-8?B?RnQ2R3VOZ0tvdWFhZ3lNSk91K3Q1VHJscnE1Z0ROTkZsSy95WUl1Y1JicENv?=
 =?utf-8?B?dldPMzJkLzhFN3NQcVZ0K3dZcG9MSWJDWWpSbklWVGQ4Qk1xRU5TT2M4RWpi?=
 =?utf-8?B?VDBQZDhlajdOa3RrNEhVVHlkNmplbVAreUVDMCs1K01PVU1mZnZJbkNncmJp?=
 =?utf-8?B?OFJKL2pacVZTREU1NDByb2dqQlVhTjN0c2d2QzE4M0Zzd01VNE96ZERTaVFP?=
 =?utf-8?B?OElhVWxvVWVNTGR1K2dTWHZncFVYSFpUMEhxN0F6RXNqeVJCWEk4NUZwV1Bt?=
 =?utf-8?B?c3RISGQ3YkZDeExGMVBnUW9rYnB1Mzc2Qmd1bTNabFRMSDRXaTF6b2ZnaFpV?=
 =?utf-8?B?ajZwSGlDWXRIUFRGbVFmaVN1dnJoWVhIZ2hKdjBwSE80MjZSb3Y3Vlo4WjB2?=
 =?utf-8?B?OGRDb2xrYUs4blkxRXhFeFlwMmZpaHlmYkNVV1Q1WGVsK2tLSDlMQzIvQkZ6?=
 =?utf-8?B?QUwra0pvdXd1cldJSEcyZlRhNHByR1R0a3V3Q2llVU5keDJRbmF4S3hWOEt5?=
 =?utf-8?B?VytnVm9NRGhwQlUyUS8zYitwTjFEUlcxVVdpRTZsQkppREpMVVd2cDN5NWZs?=
 =?utf-8?B?cEtqMS9tRmRyL1Q4OTFpd1pGdlNmenJjeDE4dnlkNXhZd0lUamZpU20xVkZx?=
 =?utf-8?B?L1pxaU40SEZ1NVF1Nlh3ekN5bXh1RW4rUEN5N29LM2hYdmR6R3Z3ekxGM2Y0?=
 =?utf-8?B?aTFzWGhIT0tUaVhHNmdWKzVKTm1nOUoybFhZWUsvUzYzYUlFVzZ5SmcyYUw2?=
 =?utf-8?B?a3gxdkVMM0t3TGZmQUxaR2VhYnd2a1BpenFJcWx2M1V5YmRISE1la3VleFV1?=
 =?utf-8?B?dE92RVRKWGlKR1p0UWhCRWxsQ1dOYnhXSmN1Q0VVR3NlaHpJYkRaK044Rys1?=
 =?utf-8?B?UURzaFJkWmgyUktTTFNweVBFTXlkS2tXMWoxa3p0YlVib3laeU1MRGtNYzJy?=
 =?utf-8?B?MDhFZVN5YjhUZ1NhTVlZbG1hZjM0NFMyVmRWT1FXUE55dFNJOW5FRnJ2WExV?=
 =?utf-8?B?UFlQVkdkZTRjSFFmZUtXemlOZ0xZVDByLys4NVhOQk9JUTl3emxTcWh4bUNR?=
 =?utf-8?B?RzJibi9pcWNtbHA2aDRyM3lOWEZzQ2xLS1hydktnTlRkbE5udEIyOUtMYTl5?=
 =?utf-8?B?SEJvSFNHdGdBcDZWZWt0Z3NISVRTV2h1Z3dNVkxYcnJMaWd4dnZzWVFiMFJL?=
 =?utf-8?B?OU9hUDBtQVlZNE9RaEhDWTBMZ0hKckFHT0lSYjFFeTNMdDdleUU1YVdoWjE3?=
 =?utf-8?B?OEY4aEpaQ1hPV2EzMXhUSXh5YW5zZk5VemppQnNLeVpyekdyZjZ2VG9ETFVs?=
 =?utf-8?B?L095bFpNOElqdG91dmNHWmtidWVRZFhlOEFzMkxacFFHNUNpSE9nM1g4czIw?=
 =?utf-8?B?VktnZHd2aTlGTmxpNGNpRXVZbDRLM0ZENjdCd1dHUng0Z1A3UGY3QmhCM0RQ?=
 =?utf-8?Q?Swr6ygq3sHN3D23wgc5S?=
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bf22a3bd-6f1c-4e4f-87e2-08db74e7203d
X-MS-Exchange-CrossTenant-AuthSource: GV1P250MB0737.EURP250.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jun 2023 19:13:43.2440 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2P250MB0270
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/parser: Check next against
 buffer index
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/GV1P250MB073784D7F59998C2647EA43F8F20A@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Michael Niedermayer:
> Fixes: out of array access
> Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
> 
> Found-by: Catena cyber <contact@catenacyber.fr>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/parser.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/parser.c b/libavcodec/parser.c
> index efc28b8918..db39e698ab 100644
> --- a/libavcodec/parser.c
> +++ b/libavcodec/parser.c
> @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
>      for (; pc->overread > 0; pc->overread--)
>          pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
>  
> -    if (next > *buf_size)
> +    if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
>          return AVERROR(EINVAL);
>  
>      /* flush remaining if EOF */

Could you provide more details about this? E.g. which parser is this
about at all? And how can we actually come in this situation at all?
(Whenever I looked at ff_combine_frame() I do not really understand what
its invariants are supposed to be.)

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".