From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 0DA98467E6 for ; Sun, 18 Jun 2023 22:58:09 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 27F9068BECF; Mon, 19 Jun 2023 01:58:07 +0300 (EEST) Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8BC5A68AFA8 for ; Mon, 19 Jun 2023 01:58:01 +0300 (EEST) Received: by mail-qk1-f179.google.com with SMTP id af79cd13be357-76243d1a706so15228685a.0 for ; Sun, 18 Jun 2023 15:58:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687129080; x=1689721080; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=7uofTdd2WJKnBiFFaYXmV84b94GT2Dz/GgqWk8Znn9c=; b=TALS44Wyo4labWJM8wzPgzX6BCmvYdYhyXB2KhWT+K8L0Tqfwl0I8Rap2KmOzOik46 I+M0w1oeTLoAFGzMyGBhvtCYEi25P8NTWaNGu1W9W5YNN2D5jOCmOF5il0Z6Hrp9OiLP T3BZbQvOn8YioW5lzoIVo15iHlfHV84gh22Cbi8IMOHBJd7wPuYy+92UQs15s9wBkE3G MUI/RvYpQOH0EFVdZhm7vK3KXa1Sud/M68a9Jnwb2FsXQltScqMUY+bmrJg+FeCcUeNT +ixwoi/L7sV4qUGLxDTll3g91rhn6lpxjKRG39QBlrr+jKpbC2DCZr4pnnnXCAA/4Lo3 EAHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687129080; x=1689721080; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7uofTdd2WJKnBiFFaYXmV84b94GT2Dz/GgqWk8Znn9c=; b=OPD1Y8cWdVjGb4w0U+hXukuLGZiEHjuvKw4gs+zv8fDQu7bfg4+JtFtYXiHS0M6PvX 0B6DmZGsGTesr4gnGyVSE2BpP3bF9qOr95cAYRBFCchYK9Ks/un3p0P6ufRh6z9t5oJQ gVsd+unu/Q+HQM0Awmy9XoEBrPlPVz057iqULHNJwFnh3b9UChP46ROvcYMYD/jG31OC IbvOuJXVI4EUkv1KQDLc6iHvx7xhwLbq6FwVDvQfQdWJw0QpynuYmHu1DLax0f9BZHex esuZevOpGi/7SMiXqwx/CBDVHnH+7cxPuRXSObwBCjPVJmnDXYwZNDHPS7wh4l878Ut9 ylHg== X-Gm-Message-State: AC+VfDxIHp73SdsfaCZziIce8oJYzorjhzsNP2OJdN6LUHwZXuJhMhvh uXVHE7b15NZgAuFdiRFqwSs1znLSyxg= X-Google-Smtp-Source: ACHHUZ4XshdttomlfZx3z/O16sDewYh23aPYFI+tYKbr2NTbYzfNG4elpLzbX3rPr7YKtrvcKCR2Yw== X-Received: by 2002:a05:620a:b4b:b0:75e:c4b8:8d75 with SMTP id x11-20020a05620a0b4b00b0075ec4b88d75mr9488465qkg.3.1687129079713; Sun, 18 Jun 2023 15:57:59 -0700 (PDT) Received: from [192.168.1.35] (c-98-224-219-15.hsd1.mi.comcast.net. [98.224.219.15]) by smtp.gmail.com with ESMTPSA id o125-20020a817383000000b0055a21492192sm986612ywc.115.2023.06.18.15.57.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 18 Jun 2023 15:57:59 -0700 (PDT) Message-ID: Date: Sun, 18 Jun 2023 18:57:58 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Content-Language: en-US-large To: ffmpeg-devel@ffmpeg.org References: <20230618215021.3044-1-michael@niedermayer.cc> <20230618215021.3044-3-michael@niedermayer.cc> From: Leo Izen In-Reply-To: <20230618215021.3044-3-michael@niedermayer.cc> Subject: Re: [FFmpeg-devel] [PATCH 3/6] avformat/jpegxl_anim_dec: add FF_JPEGXL_CONTAINER_SIGNATURE_LE X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 6/18/23 17:50, Michael Niedermayer wrote: > Fixes: out of array read > Fixes: 59828/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5029813220671488 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavformat/jpegxl_anim_dec.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c > index c62b596f76..7e4d39385c 100644 > --- a/libavformat/jpegxl_anim_dec.c > +++ b/libavformat/jpegxl_anim_dec.c > @@ -108,7 +108,7 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp > > static int jpegxl_anim_probe(const AVProbeData *p) > { > - uint8_t buffer[4096]; > + uint8_t buffer[4096 + AV_INPUT_BUFFER_PADDING_SIZE]; > int copied; > > /* this is a raw codestream */ > @@ -123,7 +123,7 @@ static int jpegxl_anim_probe(const AVProbeData *p) > if (AV_RL64(p->buf) != FF_JPEGXL_CONTAINER_SIGNATURE_LE) > return 0; > > - if (jpegxl_collect_codestream_header(p->buf, p->buf_size, buffer, sizeof(buffer), &copied) <= 0 || copied <= 0) > + if (jpegxl_collect_codestream_header(p->buf, p->buf_size, buffer, sizeof(buffer) - AV_INPUT_BUFFER_PADDING_SIZE, &copied) <= 0 || copied <= 0) > return 0; > > if (ff_jpegxl_verify_codestream_header(buffer, copied, 0) >= 1) > @@ -138,7 +138,8 @@ static int jpegxl_anim_read_header(AVFormatContext *s) > AVIOContext *pb = s->pb; > AVStream *st; > int offset = 0; > - uint8_t head[256]; > + uint8_t head[256 + AV_INPUT_BUFFER_PADDING_SIZE]; > + const int sizeofhead = sizeof(head) - AV_INPUT_BUFFER_PADDING_SIZE; > int headsize = 0; > int ctrl; > AVRational tb; > @@ -147,7 +148,7 @@ static int jpegxl_anim_read_header(AVFormatContext *s) > uint64_t sig16 = avio_rl16(pb); > if (sig16 == FF_JPEGXL_CODESTREAM_SIGNATURE_LE) { > AV_WL16(head, sig16); > - headsize = avio_read(s->pb, head + 2, sizeof(head) - 2); > + headsize = avio_read(s->pb, head + 2, sizeofhead - 2); > if (headsize < 0) > return headsize; > headsize += 2; > @@ -178,10 +179,10 @@ static int jpegxl_anim_read_header(AVFormatContext *s) > if (av_buffer_realloc(&ctx->initial, ctx->initial->size + read) < 0) > return AVERROR(ENOMEM); > } > - jpegxl_collect_codestream_header(buf, read, head + headsize, sizeof(head) - headsize, &copied); > + jpegxl_collect_codestream_header(buf, read, head + headsize, sizeofhead - headsize, &copied); > memcpy(ctx->initial->data + (ctx->initial->size - read), buf, read); > headsize += copied; > - if (headsize >= sizeof(head) || read < sizeof(buf)) > + if (headsize >= sizeofhead || read < sizeof(buf)) > break; > } > } What's with the commit message? Seems unrelated to the change. - Leo Izen _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".