From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 3/3] avformat/mov: fix the entry count overflow check in the keys atom
Date: Tue, 2 Apr 2024 05:30:59 +0200
Message-ID: <GV1P250MB0737A618F523B20FBDBBCFE58F3E2@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20240402031800.7159-3-jamrial@gmail.com>
James Almer:
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
> libavformat/mov.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index a935ef7326..9fca402896 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5025,7 +5025,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> avio_skip(pb, 4);
> count = avio_rb32(pb);
> atom.size -= 8;
> - if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
> + if (count + 1LL > UINT_MAX / sizeof(*c->meta_keys)) {
> av_log(c->fc, AV_LOG_ERROR,
> "The 'keys' atom with the invalid key count: %"PRIu32"\n", count);
> return AVERROR_INVALIDDATA;
What is supposed to be wrong here in the first place? The only thing I
can think of is the case in which sizeof(*c->meta_keys) is > UINT_MAX,
in which case the rhs would wrap around. But I don't think that is what
you meant given that sizeof(*c->meta_keys) == sizeof(char*).
Anyway, a simpler check that works even if sizeof(*c->meta_keys) were
insanely large is "count >= UINT_MAX / sizeof(*c->meta_keys)".
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-04-02 3:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-02 3:17 [FFmpeg-devel] [PATCH 1/3] avformat/mov: take into account the first eight bytes " James Almer
2024-04-02 3:17 ` [FFmpeg-devel] [PATCH 2/3] avformat/mov: don't read key_size bytes twice " James Almer
2024-04-02 3:18 ` [FFmpeg-devel] [PATCH 3/3] avformat/mov: fix the entry count overflow check " James Almer
2024-04-02 3:30 ` Andreas Rheinhardt [this message]
2024-04-02 12:05 ` James Almer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV1P250MB0737A618F523B20FBDBBCFE58F3E2@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM \
--to=andreas.rheinhardt@outlook.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git