* [FFmpeg-devel] [PATCH] avformat/mov: fix overallocation when reading pssh/saiz
@ 2023-06-12 11:56 Zhao Zhili
2023-06-12 12:06 ` Marvin Scholz (ePirat)
0 siblings, 1 reply; 3+ messages in thread
From: Zhao Zhili @ 2023-06-12 11:56 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Zhao Zhili
From: Zhao Zhili <zhilizhao@tencent.com>
mov_try_read_block() allocates 1MB at least, which can be more than
enough. It was called when reading saiz box, which can appear
periodically inside fmp4. This consumes a lot of memory.
We can fix mov_try_read_block() by clamp 'block_size' with 'size'.
However, the function is harmful than helpful. It avoids allocating
large memory when the real data is small. Even in that case, if
allocating large memory directly failed, it's fine to return ENOMEM;
if allocating success and reading doesn't match the given size, it's
fine to free and return AVERROR_INVALIDDATA. In other cases, it's a
waste of CPU and memory.
So I decided to remove the function, and replace it by call
av_malloc() and avio_read() directly.
mov_read_saiz() and mov_read_pssh() need more check, but they don't
belong to this patch.
Fixes #7641 and #9243.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
---
libavformat/mov.c | 63 +++++++++++++++++++----------------------------
1 file changed, 25 insertions(+), 38 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index a8d004e02b..3d0969545a 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6649,38 +6649,6 @@ finish:
return ret;
}
-/**
- * Tries to read the given number of bytes from the stream and puts it in a
- * newly allocated buffer. This reads in small chunks to avoid allocating large
- * memory if the file contains an invalid/malicious size value.
- */
-static int mov_try_read_block(AVIOContext *pb, size_t size, uint8_t **data)
-{
- const unsigned int block_size = 1024 * 1024;
- uint8_t *buffer = NULL;
- unsigned int alloc_size = 0, offset = 0;
- while (offset < size) {
- unsigned int new_size =
- alloc_size >= INT_MAX - block_size ? INT_MAX : alloc_size + block_size;
- uint8_t *new_buffer = av_fast_realloc(buffer, &alloc_size, new_size);
- unsigned int to_read = FFMIN(size, alloc_size) - offset;
- if (!new_buffer) {
- av_free(buffer);
- return AVERROR(ENOMEM);
- }
- buffer = new_buffer;
-
- if (avio_read(pb, buffer + offset, to_read) != to_read) {
- av_free(buffer);
- return AVERROR_INVALIDDATA;
- }
- offset += to_read;
- }
-
- *data = buffer;
- return 0;
-}
-
static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
MOVEncryptionIndex *encryption_index;
@@ -6736,15 +6704,24 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
encryption_index->auxiliary_info_default_size = avio_r8(pb);
sample_count = avio_rb32(pb);
- encryption_index->auxiliary_info_sample_count = sample_count;
if (encryption_index->auxiliary_info_default_size == 0) {
- ret = mov_try_read_block(pb, sample_count, &encryption_index->auxiliary_info_sizes);
- if (ret < 0) {
- av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info\n");
+ encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
+ if (!encryption_index->auxiliary_info_sizes)
+ return AVERROR(ENOMEM);
+
+ ret = avio_read(pb, encryption_index->auxiliary_info_sizes, sample_count);
+ if (ret != sample_count) {
+ av_freep(&encryption_index->auxiliary_info_sizes);
+
+ if (ret >= 0)
+ ret = AVERROR_INVALIDDATA;
+ av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info, %s\n",
+ av_err2str(ret));
return ret;
}
}
+ encryption_index->auxiliary_info_sample_count = sample_count;
if (encryption_index->auxiliary_offsets_count) {
return mov_parse_auxiliary_info(c, sc, pb, encryption_index);
@@ -6913,9 +6890,19 @@ static int mov_read_pssh(MOVContext *c, AVIOContext *pb, MOVAtom atom)
}
extra_data_size = avio_rb32(pb);
- ret = mov_try_read_block(pb, extra_data_size, &extra_data);
- if (ret < 0)
+ extra_data = av_malloc(extra_data_size);
+ if (!extra_data) {
+ ret = AVERROR(ENOMEM);
goto finish;
+ }
+ ret = avio_read(pb, extra_data, extra_data_size);
+ if (ret != extra_data_size) {
+ av_free(extra_data);
+
+ if (ret >= 0)
+ ret = AVERROR_INVALIDDATA;
+ goto finish;
+ }
av_freep(&info->data); // malloc(0) may still allocate something.
info->data = extra_data;
--
2.25.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/mov: fix overallocation when reading pssh/saiz
2023-06-12 11:56 [FFmpeg-devel] [PATCH] avformat/mov: fix overallocation when reading pssh/saiz Zhao Zhili
@ 2023-06-12 12:06 ` Marvin Scholz (ePirat)
2023-06-12 12:28 ` "zhilizhao(赵志立)"
0 siblings, 1 reply; 3+ messages in thread
From: Marvin Scholz (ePirat) @ 2023-06-12 12:06 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Hi,
> On 12. Jun 2023, at 13:56, Zhao Zhili <quinkblack@foxmail.com> wrote:
>
> From: Zhao Zhili <zhilizhao@tencent.com>
>
> mov_try_read_block() allocates 1MB at least, which can be more than
> enough. It was called when reading saiz box, which can appear
> periodically inside fmp4. This consumes a lot of memory.
>
> We can fix mov_try_read_block() by clamp 'block_size' with 'size'.
> However, the function is harmful than helpful. It avoids allocating
> large memory when the real data is small. Even in that case, if
> allocating large memory directly failed, it's fine to return ENOMEM;
> if allocating success and reading doesn't match the given size, it's
> fine to free and return AVERROR_INVALIDDATA. In other cases, it's a
> waste of CPU and memory.
>
> So I decided to remove the function, and replace it by call
> av_malloc() and avio_read() directly.
>
> mov_read_saiz() and mov_read_pssh() need more check, but they don't
> belong to this patch.
>
> Fixes #7641 and #9243.
>
> Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
> ---
> libavformat/mov.c | 63 +++++++++++++++++++----------------------------
> 1 file changed, 25 insertions(+), 38 deletions(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index a8d004e02b..3d0969545a 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -6649,38 +6649,6 @@ finish:
> return ret;
> }
>
> -/**
> - * Tries to read the given number of bytes from the stream and puts it in a
> - * newly allocated buffer. This reads in small chunks to avoid allocating large
> - * memory if the file contains an invalid/malicious size value.
I fail to see how your replacement code addresses the malicious size value case that this function mitigated, see in more detail what I mean below…
> - */
> -static int mov_try_read_block(AVIOContext *pb, size_t size, uint8_t **data)
> -{
> - const unsigned int block_size = 1024 * 1024;
> - uint8_t *buffer = NULL;
> - unsigned int alloc_size = 0, offset = 0;
> - while (offset < size) {
> - unsigned int new_size =
> - alloc_size >= INT_MAX - block_size ? INT_MAX : alloc_size + block_size;
> - uint8_t *new_buffer = av_fast_realloc(buffer, &alloc_size, new_size);
> - unsigned int to_read = FFMIN(size, alloc_size) - offset;
> - if (!new_buffer) {
> - av_free(buffer);
> - return AVERROR(ENOMEM);
> - }
> - buffer = new_buffer;
> -
> - if (avio_read(pb, buffer + offset, to_read) != to_read) {
> - av_free(buffer);
> - return AVERROR_INVALIDDATA;
> - }
> - offset += to_read;
> - }
> -
> - *data = buffer;
> - return 0;
> -}
> -
> static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> {
> MOVEncryptionIndex *encryption_index;
> @@ -6736,15 +6704,24 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>
> encryption_index->auxiliary_info_default_size = avio_r8(pb);
> sample_count = avio_rb32(pb);
> - encryption_index->auxiliary_info_sample_count = sample_count;
>
> if (encryption_index->auxiliary_info_default_size == 0) {
> - ret = mov_try_read_block(pb, sample_count, &encryption_index->auxiliary_info_sizes);
> - if (ret < 0) {
> - av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info\n");
> + encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
> + if (!encryption_index->auxiliary_info_sizes)
> + return AVERROR(ENOMEM);
> +
> + ret = avio_read(pb, encryption_index->auxiliary_info_sizes, sample_count);
> + if (ret != sample_count) {
> + av_freep(&encryption_index->auxiliary_info_sizes);
> +
> + if (ret >= 0)
> + ret = AVERROR_INVALIDDATA;
> + av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info, %s\n",
> + av_err2str(ret));
> return ret;
> }
> }
> + encryption_index->auxiliary_info_sample_count = sample_count;
>
> if (encryption_index->auxiliary_offsets_count) {
> return mov_parse_auxiliary_info(c, sc, pb, encryption_index);
> @@ -6913,9 +6890,19 @@ static int mov_read_pssh(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> }
>
> extra_data_size = avio_rb32(pb);
> - ret = mov_try_read_block(pb, extra_data_size, &extra_data);
> - if (ret < 0)
> + extra_data = av_malloc(extra_data_size);
If I understand correctly you are now effectively passing a potentially malicious size value directly to malloc, allowing an attacker to exhaust memory with a crafted file.
> + if (!extra_data) {
> + ret = AVERROR(ENOMEM);
> goto finish;
> + }
> + ret = avio_read(pb, extra_data, extra_data_size);
> + if (ret != extra_data_size) {
> + av_free(extra_data);
> +
> + if (ret >= 0)
> + ret = AVERROR_INVALIDDATA;
> + goto finish;
> + }
>
> av_freep(&info->data); // malloc(0) may still allocate something.
> info->data = extra_data;
> --
> 2.25.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/mov: fix overallocation when reading pssh/saiz
2023-06-12 12:06 ` Marvin Scholz (ePirat)
@ 2023-06-12 12:28 ` "zhilizhao(赵志立)"
0 siblings, 0 replies; 3+ messages in thread
From: "zhilizhao(赵志立)" @ 2023-06-12 12:28 UTC (permalink / raw)
To: FFmpeg development discussions and patches
> On Jun 12, 2023, at 20:06, Marvin Scholz (ePirat) <epirat07@gmail.com> wrote:
>
> Hi,
>
>> On 12. Jun 2023, at 13:56, Zhao Zhili <quinkblack@foxmail.com> wrote:
>>
>> From: Zhao Zhili <zhilizhao@tencent.com>
>>
>> mov_try_read_block() allocates 1MB at least, which can be more than
>> enough. It was called when reading saiz box, which can appear
>> periodically inside fmp4. This consumes a lot of memory.
>>
>> We can fix mov_try_read_block() by clamp 'block_size' with 'size'.
>> However, the function is harmful than helpful. It avoids allocating
>> large memory when the real data is small. Even in that case, if
>> allocating large memory directly failed, it's fine to return ENOMEM;
>> if allocating success and reading doesn't match the given size, it's
>> fine to free and return AVERROR_INVALIDDATA. In other cases, it's a
>> waste of CPU and memory.
>>
>> So I decided to remove the function, and replace it by call
>> av_malloc() and avio_read() directly.
>>
>> mov_read_saiz() and mov_read_pssh() need more check, but they don't
>> belong to this patch.
>>
>> Fixes #7641 and #9243.
>>
>> Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
>> ---
>> libavformat/mov.c | 63 +++++++++++++++++++----------------------------
>> 1 file changed, 25 insertions(+), 38 deletions(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index a8d004e02b..3d0969545a 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -6649,38 +6649,6 @@ finish:
>> return ret;
>> }
>>
>> -/**
>> - * Tries to read the given number of bytes from the stream and puts it in a
>> - * newly allocated buffer. This reads in small chunks to avoid allocating large
>> - * memory if the file contains an invalid/malicious size value.
>
> I fail to see how your replacement code addresses the malicious size value case that this function mitigated, see in more detail what I mean below…
>
>> - */
>> -static int mov_try_read_block(AVIOContext *pb, size_t size, uint8_t **data)
>> -{
>> - const unsigned int block_size = 1024 * 1024;
>> - uint8_t *buffer = NULL;
>> - unsigned int alloc_size = 0, offset = 0;
>> - while (offset < size) {
>> - unsigned int new_size =
>> - alloc_size >= INT_MAX - block_size ? INT_MAX : alloc_size + block_size;
>> - uint8_t *new_buffer = av_fast_realloc(buffer, &alloc_size, new_size);
>> - unsigned int to_read = FFMIN(size, alloc_size) - offset;
>> - if (!new_buffer) {
>> - av_free(buffer);
>> - return AVERROR(ENOMEM);
>> - }
>> - buffer = new_buffer;
>> -
>> - if (avio_read(pb, buffer + offset, to_read) != to_read) {
>> - av_free(buffer);
>> - return AVERROR_INVALIDDATA;
>> - }
>> - offset += to_read;
>> - }
>> -
>> - *data = buffer;
>> - return 0;
>> -}
>> -
>> static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>> {
>> MOVEncryptionIndex *encryption_index;
>> @@ -6736,15 +6704,24 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>
>> encryption_index->auxiliary_info_default_size = avio_r8(pb);
>> sample_count = avio_rb32(pb);
>> - encryption_index->auxiliary_info_sample_count = sample_count;
>>
>> if (encryption_index->auxiliary_info_default_size == 0) {
>> - ret = mov_try_read_block(pb, sample_count, &encryption_index->auxiliary_info_sizes);
>> - if (ret < 0) {
>> - av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info\n");
>> + encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
>> + if (!encryption_index->auxiliary_info_sizes)
>> + return AVERROR(ENOMEM);
>> +
>> + ret = avio_read(pb, encryption_index->auxiliary_info_sizes, sample_count);
>> + if (ret != sample_count) {
>> + av_freep(&encryption_index->auxiliary_info_sizes);
>> +
>> + if (ret >= 0)
>> + ret = AVERROR_INVALIDDATA;
>> + av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info, %s\n",
>> + av_err2str(ret));
>> return ret;
>> }
>> }
>> + encryption_index->auxiliary_info_sample_count = sample_count;
>>
>> if (encryption_index->auxiliary_offsets_count) {
>> return mov_parse_auxiliary_info(c, sc, pb, encryption_index);
>> @@ -6913,9 +6890,19 @@ static int mov_read_pssh(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>> }
>>
>> extra_data_size = avio_rb32(pb);
>> - ret = mov_try_read_block(pb, extra_data_size, &extra_data);
>> - if (ret < 0)
>> + extra_data = av_malloc(extra_data_size);
>
> If I understand correctly you are now effectively passing a potentially malicious size value directly to malloc, allowing an attacker to exhaust memory with a crafted file.
1. If malloc failed, it doesn’t exhaust memory.
2. If malloc success and the real data is less than extra_data_size, the memory
will be freed immediately.
3. Almost every box with undetermined length of entries have this issue.
4. We can check extra_data_size < atom.size (which make sense), but it doesn’t help
much in this case.
Now let consider the normal case when extra_data_size isn’t a malicious size, like
48. The original code will allocate 1M and only use 48 bytes. Like I said in the
commit message, we can limit block_size by
const unsigned int block_size = FF_MIN(1024 * 1024, size).
But the function itself is useless and hurt performance. And it has more issues: it
can clamp the size silently when alloc_size >= INT_MAX - block_size, then overwrite
old data by new data.
unsigned int new_size =
- alloc_size >= INT_MAX - block_size ? INT_MAX : alloc_size + block_size;
- uint8_t *new_buffer = av_fast_realloc(buffer, &alloc_size, new_size);
>
>> + if (!extra_data) {
>> + ret = AVERROR(ENOMEM);
>> goto finish;
>> + }
>> + ret = avio_read(pb, extra_data, extra_data_size);
>> + if (ret != extra_data_size) {
>> + av_free(extra_data);
>> +
>> + if (ret >= 0)
>> + ret = AVERROR_INVALIDDATA;
>> + goto finish;
>> + }
>>
>> av_freep(&info->data); // malloc(0) may still allocate something.
>> info->data = extra_data;
>> --
>> 2.25.1
>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-12 12:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-12 11:56 [FFmpeg-devel] [PATCH] avformat/mov: fix overallocation when reading pssh/saiz Zhao Zhili
2023-06-12 12:06 ` Marvin Scholz (ePirat)
2023-06-12 12:28 ` "zhilizhao(赵志立)"
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git