From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 91E0B472C8 for ; Wed, 4 Oct 2023 22:14:11 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 08FAD68CA8A; Thu, 5 Oct 2023 01:14:09 +0300 (EEST) Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 860FA68C9D5 for ; Thu, 5 Oct 2023 01:14:00 +0300 (EEST) Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-65d076a3d25so404726d6.0 for ; Wed, 04 Oct 2023 15:14:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696457639; x=1697062439; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=qxmeUEQsuMh/B+hGMEayN1zqg6qq+ogArxVdbMLDS9o=; b=LEMO6HCvfncXqBDlVCkHUjJd7Yd2bYu6gYDNbxKUadvnrp8NJc82XdJLLfuY9hfuPX bXo8VmtTnJLedamEvEfEyfptn7K92y9jCC5vdXwhCtfF5l7WMAyAUjJPRUpqUixAeL5A jPKanHJ6QvDn1b81Gpu4RIg8sCMOPt7OlH1gLu3Ju9nxRGaZ9YWHHsHwH8UYzoCnH+0M Xmxfjd5chMkp4z4B1Svh/29MIrT1y60NBxrbneeFomKWPRbrA6f1VSaTb6ofh5uHWTNj TpzpfFYYRP96P70Ynu88qFyqF9jAz9QR4CbgfHVESG5JlP0/99euKa++mUTCMcdJD0EJ BE5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696457639; x=1697062439; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qxmeUEQsuMh/B+hGMEayN1zqg6qq+ogArxVdbMLDS9o=; b=kyA5oiYNs1iLiPdt0otciH9LoyVKwP9kuYuep77jZ8KqSiK6UksjOBL4IyqclU2N7c 4F2LbFgeMX8H75elFRBkxBoGpw6hdqNRZvF/llJMAay76q9Hnb8xsrLs6ZlkGnwNlogq Wl9Dz6TL3fI608DzX5FIg21Jbf/iy7GYgT1nsTFcGKxV5l/m7cWUma6jRkt0HCrtVq6H WzgYWl3NNHl+tERM68jgayXx2Vh+tWHzN5kK6kp9p3Ne4yCJRhN+z0nUhPEMzWCUDkNi aS4pJwmJ2/Z3eg6HZyJpDa7v5/LjygHMPPlKzCxvc+GDeXa3USjfNh4IpUlRVTWSMsXX 3+Cg== X-Gm-Message-State: AOJu0YzMzt2pCS6pud/E5r6ZlhMvFI1gGZtEeOw21UafRFmjrjV/8gll G3sYVfZB1rLQ8N6Z57zvl83tKwFnXhSSeg== X-Google-Smtp-Source: AGHT+IHmp1kGDimdrmnHUzc6Mg71ZZ4GL8PpkZ3X3atIcc12gFY3htaSjXXo7q+cK12l0fv3ngrhDw== X-Received: by 2002:a05:620a:4592:b0:773:a789:cd15 with SMTP id bp18-20020a05620a459200b00773a789cd15mr3925172qkb.6.1696457638676; Wed, 04 Oct 2023 15:13:58 -0700 (PDT) Received: from [192.168.1.35] (c-68-56-149-176.hsd1.mi.comcast.net. [68.56.149.176]) by smtp.gmail.com with ESMTPSA id oo15-20020a05620a530f00b0077407e3d68asm38855qkn.111.2023.10.04.15.13.57 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Oct 2023 15:13:58 -0700 (PDT) Message-ID: Date: Wed, 4 Oct 2023 18:13:57 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US-large To: ffmpeg-devel@ffmpeg.org References: <20231003150035.176199-1-leo.izen@gmail.com> From: Leo Izen In-Reply-To: <20231003150035.176199-1-leo.izen@gmail.com> Subject: Re: [FFmpeg-devel] [PATCH v2] avcodec/jpegxl_parser: fix various memory issues X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 10/3/23 11:00, Leo Izen wrote: > The spec caps the prefix alphabet size to 32768 (i.e. 1 << 15) so we > should check for that and reject alphabets that are too large, in order > to prevent over-allocating. > > Additionally, there's no need to allocate buffers that are as large as > the maximum alphabet size as these aren't stack-allocated, they're heap > allocated and thus can be variable size. > > Added an overflow check as well, which fixes leaking the buffer, and > capping the alphabet size fixes two potential overruns as well. > > Fixes: out of array access > Fixes: 62089/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer- > 5437089094959104.fuzz > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Found-by: Hardik Shah of Vehere (Dawn Treaders team) > Co-authored-by: Michael Niedermayer > Signed-off-by: Leo Izen > --- > libavcodec/jpegxl_parser.c | 23 +++++++++++++++++------ > 1 file changed, 17 insertions(+), 6 deletions(-) > Will merge soon as it fixes a clusterfuzz case. - Leo Izen _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".