From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id DCB98496F4
	for <ffmpegdev@gitmailbox.com>; Sun, 18 Feb 2024 02:50:43 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0CA5068D08E;
	Sun, 18 Feb 2024 04:50:41 +0200 (EET)
Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com
 [209.85.219.173])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B4D8168D08E
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Feb 2024 04:50:34 +0200 (EET)
Received: by mail-yb1-f173.google.com with SMTP id
 3f1490d57ef6-dcd7c526cc0so3601214276.1
 for <ffmpeg-devel@ffmpeg.org>; Sat, 17 Feb 2024 18:50:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1708224632; x=1708829432; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :from:to:cc:subject:date:message-id:reply-to;
 bh=qfbJ+1MFOYax26IvA2U08MCvblnuaeYgOBbky68qwMI=;
 b=TwNyGf1rO+o3SQ6fWdvt3B3w7OqNReauXf7SqHc3B4BI5bGG8UouWCyTXqz6s+Jwcu
 S+5vIu75/erOhYIjSH0f6R+8bLe870GMBWblDBFNIWwk+0v6Wy1wPEqh6FJGahhJvO0t
 6AfhWpb8VEgJ/u5zSTtzN+jNSWLKIzaySwEqlKnCgKEDIPKo0GRZxART0wk2ub9ZfwZH
 1d/USRvGxHawFU8FxkttEeLbu2gNerFm6QsrHZ72h3666fUpbvwI7z23QogNN0OxFdkl
 i419uWEKdgnDTkhjqqOs/0wNl4GJYp4Yvc1LmsujBZR3uGUzzWIJ0JXbfCxnmbC5wEVh
 dbWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1708224632; x=1708829432;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=qfbJ+1MFOYax26IvA2U08MCvblnuaeYgOBbky68qwMI=;
 b=fKRgeywb/Db2HqUxPiqPYuy2FyaofU0n/UnURQR4Pz5jks5aIrkmu1skK/LcdhMibQ
 2uLuwVKYe/pX84iDbN36kVtyIUud8jg/0fy2ZlyH9YCsgHYpTl7g5tu22d9lDBWHwf0Q
 Dhg2uqYXYb1xmJ1sRVpRY6yGQ3BYIqvhL5Sqs8vqMdJRllA9VCLhYVEp0/nYG2J0I78K
 eWJLbM9y4S5HJ/i5IVaPA9pK9gDacg+2CnwFVscya83hdk1xnT41IVd5n3NkGbTUbLqo
 No2KZGNjGZl0yr4wMxvf1fWNlJiC2C+rwRs+vegmN3kXfC4v25VhZH9ZV5px6EMcP6mo
 2xEQ==
X-Gm-Message-State: AOJu0YxsmwwUHAQGMAAAHIAoNRyZkAW9Ty+llipEYqatFxLUKRpe2p7+
 8EWc6wtplcxxysPpQIrBTK8wF2gnEBEWSyogtcj/DyVmpHW3ank2PExdXc3s
X-Google-Smtp-Source: AGHT+IGEYtzDDvVuv36pyI34rCXtjLlonzpEvN/Dzgk2KdUZHxM+Aw6J1sfzxxv4NZzvMZAHmFFCuw==
X-Received: by 2002:a05:690c:93:b0:607:d5c7:6a8a with SMTP id
 be19-20020a05690c009300b00607d5c76a8amr10612084ywb.25.1708224631921; 
 Sat, 17 Feb 2024 18:50:31 -0800 (PST)
Received: from [192.168.0.16] (host197.190-225-105.telecom.net.ar.
 [190.225.105.197]) by smtp.gmail.com with ESMTPSA id
 fn15-20020a056a002fcf00b006e324e33ab8sm1775575pfb.218.2024.02.17.18.50.30
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 17 Feb 2024 18:50:31 -0800 (PST)
Message-ID: <fcb60efe-0b22-4dd4-8857-5356e5053fc8@gmail.com>
Date: Sat, 17 Feb 2024 23:50:30 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: ffmpeg-devel@ffmpeg.org
References: <AS8P250MB0744914D7591F027FA706A7E8F522@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM>
From: James Almer <jamrial@gmail.com>
In-Reply-To: <AS8P250MB0744914D7591F027FA706A7E8F522@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM>
Subject: Re: [FFmpeg-devel] [PATCH 1/5] avcodec/bsf/(hevc|vvc)_mp4toannexb:
 Ensure extradata_size < INT_MAX
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/fcb60efe-0b22-4dd4-8857-5356e5053fc8@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 2/17/2024 11:41 PM, Andreas Rheinhardt wrote:
> AVCodecParameters.extradata_size is an int.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
> ---
>   libavcodec/bsf/hevc_mp4toannexb.c | 2 +-
>   libavcodec/bsf/vvc_mp4toannexb.c  | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/bsf/hevc_mp4toannexb.c b/libavcodec/bsf/hevc_mp4toannexb.c
> index 8eec18f31e..c0df2b79a6 100644
> --- a/libavcodec/bsf/hevc_mp4toannexb.c
> +++ b/libavcodec/bsf/hevc_mp4toannexb.c
> @@ -69,7 +69,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
>   
>               if (!nalu_len ||
>                   nalu_len > bytestream2_get_bytes_left(&gb) ||
> -                4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
> +                4 + nalu_len > FFMIN(INT_MAX, SIZE_MAX) - AV_INPUT_BUFFER_PADDING_SIZE - new_extradata_size) {
>                   ret = AVERROR_INVALIDDATA;
>                   goto fail;
>               }
> diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c
> index 36bdae8f49..1b851f3223 100644
> --- a/libavcodec/bsf/vvc_mp4toannexb.c
> +++ b/libavcodec/bsf/vvc_mp4toannexb.c
> @@ -159,7 +159,7 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx)
>   
>               if (!nalu_len ||
>                   nalu_len > bytestream2_get_bytes_left(&gb) ||
> -                4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
> +                4 + nalu_len > FFMIN(INT_MAX, SIZE_MAX) - AV_INPUT_BUFFER_PADDING_SIZE - new_extradata_size) {

Just use INT_MAX, there's no point in this check. Do you expect a system 
where an int is smaller than the type meant to store size of buffers in 
memory?

>                   ret = AVERROR_INVALIDDATA;
>                   goto fail;
>               }
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".