From patchwork Thu Jun  8 14:26:37 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Leo Izen <leo.izen@gmail.com>
X-Patchwork-Id: 42015
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:c526:b0:117:ac03:c9de with SMTP id
 gm38csp438863pzb;
        Thu, 8 Jun 2023 07:27:37 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ7qbvSN2DF2JvhXWrV66Y1FhEUltmg5Wq+FW3e8w3ibaDP/GoRaHEZdgFqY8mqzciwiwQ8c
X-Received: by 2002:a17:907:8a05:b0:973:c070:1b5f with SMTP id
 sc5-20020a1709078a0500b00973c0701b5fmr9713910ejc.44.1686234457172;
        Thu, 08 Jun 2023 07:27:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686234457; cv=none;
        d=google.com; s=arc-20160816;
        b=dGWgKkeNvRwfcgaT2Cltyp1YXmnN1J7DRsT9KD4BPma/md8Rs0TA08VfavAAb/BCa0
         gIIRUb7ybVqYA4dYAexnQaDq29GJjwi19s/utMSWctSFEyC4Z9iCOIhERjkxenw5uYxB
         q7iFpE6tL+pESPgS7moYh3mXIoOKdLoVjk3DXv49vJom+QqY7XXmNnx6atzyEPRumrum
         AUjwNfXLypIONSwE15zGnAu33BN+VscvQ4jCYpAVyQc4ig5AHHb+9zhCaJFKw353ce21
         jEW+T2JbWrWYVehukHouGxtkWpfKeI7wDWOtKmk7hQZWhiI73p6iqAq8onnsXk2V9LvS
         ihUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:references:in-reply-to
         :message-id:date:to:from:dkim-signature:delivered-to;
        bh=iOv2kMWbQdbXlLOwbXeS5DwA8RQCj6g48dvboqUMBE4=;
        b=Cbo0mzyJn2su89ywhB3UXQlk+ieoAC4cpNDaLVhT32nC9X0VFX3pztWTfzWtXYn1xb
         LiuyrnVWxLfHQ7zA9TxSLjh1Bd2HmQfxeStTx4gua4D9GV0FmW/pQ0dIp5WTr0qO98ne
         njd7Ptotbwn45sA3VW3/I+ELvv0uw3Fd7rJ9O+31vqLCaXJ1yQllxDr5AWj8lBFy4viu
         Rz7ofUeI1ahZ4OCml6VFaMrv5KM1Svep5cYFfb+Vgr49HTn7Ii2Ybw10PHkhYFaVci0R
         L60ahfUyFuqmGAPzZEEr+Tk8ipbRKfbtYEa/PEHNw5s/lS0qTUZHvM2Qz4mR97otmqDh
         AQKg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20221208 header.b=GFsJwT1R;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 v23-20020aa7cd57000000b00514a0ec9898si798018edw.341.2023.06.08.07.27.36;
        Thu, 08 Jun 2023 07:27:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20221208 header.b=GFsJwT1R;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 441FB68C312;
	Thu,  8 Jun 2023 17:26:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-oa1-f48.google.com (mail-oa1-f48.google.com
 [209.85.160.48])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id ED0E068C31C
 for <ffmpeg-devel@ffmpeg.org>; Thu,  8 Jun 2023 17:26:43 +0300 (EEST)
Received: by mail-oa1-f48.google.com with SMTP id
 586e51a60fabf-1a2dd615ddcso69412fac.0
 for <ffmpeg-devel@ffmpeg.org>; Thu, 08 Jun 2023 07:26:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1686234402; x=1688826402;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=qH7qDCfOBbDDfJXOtXNxTIYw4pquCnC4jVw/+w4a5EA=;
 b=GFsJwT1RKQORR4zsMNj6HnehlNdUCwXSdDWjRARvWl404ctxnQ9T8Nh+M6dR+zPwky
 VZgRIwPEYRB0obDDtwPEjuPvrMpUmS23qHSgG+4ydeVCySL30BE3YbnrtM+yPqizBUqP
 ldez7GZEkzWOgNiUc8pxJkIuowJ4mEeYRc2eGFF9LCYPpGm0wbsJft8X8l9RDfdIZo7s
 NgSJkM8aU/SJuIUWY2U7RDyIuOcGpFltpWo1SZlztRE83TcOy5URZOd3Vf/T5oESdw4l
 O8NacHlxjUU6av13/qk6zjsPA1f22/Y2sAGE30JWRKKcHJgrTVDrIEzXGW2+tTRvlpJg
 VcUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1686234402; x=1688826402;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=qH7qDCfOBbDDfJXOtXNxTIYw4pquCnC4jVw/+w4a5EA=;
 b=FW5F6XfQE+9HsLb62owPS2ZVCAt5esNgCbd7VnmYSyOjahz4tu/899HOiTjcjSKKBv
 kazLuyqOoY//kBclQgTyrll2kY94nuk5OJ4u7cpCfN4SqbSfsulXTXByT3mi80TajvnJ
 p9HHYNGdt4Qcd4fVAgjjNNxy4WETIOQQKjjpYXhJ7xxJgNilBRamTirb5s2faj7jQu+9
 +iz/WVYIyFBLzvUDeVChW3317cBfc+c4a6eoRR3YLz++4ivBHwEvu+h7EZNVr48Vd1Pb
 1WXNKXk7BaqM/5MjIGXreKVUQ8hAOeSIJDMxoLPUYPZMb2dpvZdLKWUgpy6qe2B/RVLA
 wkYg==
X-Gm-Message-State: AC+VfDyOWXtZjyQlIiRiAKJ53Uw044mwHeHltXHoGESI4u+LDTWx7Kic
 YV7xhQeAP0zxOw8MvLQ/dkhoUYTSCSU=
X-Received: by 2002:a05:6870:f5aa:b0:19f:5cb8:b5fa with SMTP id
 eh42-20020a056870f5aa00b0019f5cb8b5famr4150010oab.3.1686234402239;
 Thu, 08 Jun 2023 07:26:42 -0700 (PDT)
Received: from gauss.local (c-98-224-219-15.hsd1.mi.comcast.net.
 [98.224.219.15]) by smtp.gmail.com with ESMTPSA id
 b206-20020a0dd9d7000000b0056943d9cf8fsm414589ywe.9.2023.06.08.07.26.41
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 08 Jun 2023 07:26:42 -0700 (PDT)
From: Leo Izen <leo.izen@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu,  8 Jun 2023 10:26:37 -0400
Message-Id: <20230608142637.45033-6-leo.izen@gmail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230608142637.45033-1-leo.izen@gmail.com>
References: <20230608142637.45033-1-leo.izen@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun
 with jxlp boxes in container
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Leo Izen <leo.izen@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 1pnFBwL6PKpj

This should avoid overrunning buffers with jxlp boxes if the size is
zero or if the size is so small the box is invalid.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
---
 libavformat/jpegxl_anim_dec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
index 6ea6c46d8f..c9e4dcd5fc 100644
--- a/libavformat/jpegxl_anim_dec.c
+++ b/libavformat/jpegxl_anim_dec.c
@@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp
         tag = AV_RL32(b);
         b += 4;
         if (tag == MKTAG('j', 'x', 'l', 'p')) {
+            if (b - input_buffer >= input_len - 4)
+                break;
             b += 4;
-            size -= 4;
+            if (size) {
+                if (size < 4)
+                    return AVERROR_INVALIDDATA;
+                size -= 4;
+            }
         }
 
         if (tag == MKTAG('j', 'x', 'l', 'c') || tag == MKTAG('j', 'x', 'l', 'p')) {