Message ID | 20210122140947.18479-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Headers | show |
Series | [FFmpeg-devel,1/2] avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags() | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | fail | Make fate failed |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | warning | Make fate failed |
On Fri, Jan 22, 2021 at 11:23:09AM -0300, James Almer wrote: > On 1/22/2021 11:09 AM, Michael Niedermayer wrote: > > Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' > > Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mxfdec.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > > index 4c932e954c..f1167761f9 100644 > > --- a/libavformat/mxfdec.c > > +++ b/libavformat/mxfdec.c > > @@ -2865,8 +2865,10 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF > > int ret; > > int tag = avio_rb16(pb); > > int size = avio_rb16(pb); /* KLV specified by 0x53 */ > > - uint64_t next = avio_tell(pb) + size; > > + uint64_t next = avio_tell(pb); > > UID uid = {0}; > > + if (next > INT64_MAX - size) > > + size = 0; > > You're discarding the tag's size. The code below could misbehave as it will > assume it's an empty tag when it's not. Not to mention the log message will > print a bogus value. > > Abort instead (Invalid data or erange) in this scenario since going beyond > INT64_MAX is clearly not supported by avio, and then do next += size to > ensure the avio_seek() at the end works as expected. I dont think this strictly implies being beyond INT64_MAX. but i wanted to redo this patch anyway as it contained another bug so next suggestion: @@ -2865,8 +2865,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + int64_t next = avio_tell(pb); UID uid = {0}; + if (next < 0 || next > INT64_MAX - size) + return next < 0 ? next : AVERROR_INVALIDDATA; + next += size; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ thx [...]
On 1/22/2021 7:10 PM, Michael Niedermayer wrote: > On Fri, Jan 22, 2021 at 11:23:09AM -0300, James Almer wrote: >> On 1/22/2021 11:09 AM, Michael Niedermayer wrote: >>> Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' >>> Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 >>> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> --- >>> libavformat/mxfdec.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c >>> index 4c932e954c..f1167761f9 100644 >>> --- a/libavformat/mxfdec.c >>> +++ b/libavformat/mxfdec.c >>> @@ -2865,8 +2865,10 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF >>> int ret; >>> int tag = avio_rb16(pb); >>> int size = avio_rb16(pb); /* KLV specified by 0x53 */ >>> - uint64_t next = avio_tell(pb) + size; >>> + uint64_t next = avio_tell(pb); >>> UID uid = {0}; >>> + if (next > INT64_MAX - size) >>> + size = 0; >> >> You're discarding the tag's size. The code below could misbehave as it will >> assume it's an empty tag when it's not. Not to mention the log message will >> print a bogus value. >> >> Abort instead (Invalid data or erange) in this scenario since going beyond >> INT64_MAX is clearly not supported by avio, and then do next += size to >> ensure the avio_seek() at the end works as expected. > > I dont think this strictly implies being beyond INT64_MAX. > but i wanted to redo this patch anyway as it contained another bug > so next suggestion: > > @@ -2865,8 +2865,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF > int ret; > int tag = avio_rb16(pb); > int size = avio_rb16(pb); /* KLV specified by 0x53 */ > - uint64_t next = avio_tell(pb) + size; > + int64_t next = avio_tell(pb); > UID uid = {0}; > + if (next < 0 || next > INT64_MAX - size) > + return next < 0 ? next : AVERROR_INVALIDDATA; > + next += size; > > av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); > if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ > > > thx That's better, yes.
On Fri, Jan 22, 2021 at 07:16:58PM -0300, James Almer wrote: > On 1/22/2021 7:10 PM, Michael Niedermayer wrote: > > On Fri, Jan 22, 2021 at 11:23:09AM -0300, James Almer wrote: > > > On 1/22/2021 11:09 AM, Michael Niedermayer wrote: > > > > Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' > > > > Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 > > > > > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > > --- > > > > libavformat/mxfdec.c | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > > > > index 4c932e954c..f1167761f9 100644 > > > > --- a/libavformat/mxfdec.c > > > > +++ b/libavformat/mxfdec.c > > > > @@ -2865,8 +2865,10 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF > > > > int ret; > > > > int tag = avio_rb16(pb); > > > > int size = avio_rb16(pb); /* KLV specified by 0x53 */ > > > > - uint64_t next = avio_tell(pb) + size; > > > > + uint64_t next = avio_tell(pb); > > > > UID uid = {0}; > > > > + if (next > INT64_MAX - size) > > > > + size = 0; > > > > > > You're discarding the tag's size. The code below could misbehave as it will > > > assume it's an empty tag when it's not. Not to mention the log message will > > > print a bogus value. > > > > > > Abort instead (Invalid data or erange) in this scenario since going beyond > > > INT64_MAX is clearly not supported by avio, and then do next += size to > > > ensure the avio_seek() at the end works as expected. > > > > I dont think this strictly implies being beyond INT64_MAX. > > but i wanted to redo this patch anyway as it contained another bug > > so next suggestion: > > > > @@ -2865,8 +2865,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF > > int ret; > > int tag = avio_rb16(pb); > > int size = avio_rb16(pb); /* KLV specified by 0x53 */ > > - uint64_t next = avio_tell(pb) + size; > > + int64_t next = avio_tell(pb); > > UID uid = {0}; > > + if (next < 0 || next > INT64_MAX - size) > > + return next < 0 ? next : AVERROR_INVALIDDATA; > > + next += size; > > av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); > > if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ > > > > > > thx > > That's better, yes. will apply thx [...]
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4c932e954c..f1167761f9 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2865,8 +2865,10 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + uint64_t next = avio_tell(pb); UID uid = {0}; + if (next > INT64_MAX - size) + size = 0; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */
Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mxfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)