diff mbox series

[FFmpeg-devel,4/6] avformat/cafdec: saturate start + size into 64bit

Message ID 20230929232001.23197-4-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/6] avformat/avidec: support huge durations | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Sept. 29, 2023, 11:19 p.m. UTC 
Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cafdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Almer Sept. 29, 2023, 11:41 p.m. UTC | #1 
On 9/29/2023 8:19 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long'
> Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/cafdec.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
> index e92e3279fc6..0e50a3cfe68 100644
> --- a/libavformat/cafdec.c
> +++ b/libavformat/cafdec.c
> @@ -435,7 +435,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
>   
>       /* don't read past end of data chunk */
>       if (caf->data_size > 0) {
> -        left = (caf->data_start + caf->data_size) - avio_tell(pb);
> +        left = av_sat_add64(caf->data_start, caf->data_size) - avio_tell(pb);

avio_tell(pb) here is guaranteed to be bigger than caf->data_start, 
which is the offset where the DATA chunk starts, so the result of this 
calculation will be <= INT64_MAX even if you don't saturate it and 
instead cast it to uint64_t. Nonetheless, if the DATA chunk ends at an 
offset that would not fit in an int64_t, then we can't parse it to begin 
with due to AVIOContext API limitations.

Maybe we should just abort in read_header() if data_start + data_size > 
INT64_MAX, instead of pretending we can parse the file, invalid or not, 
by saturating values.

>           if (!left)
>               return AVERROR_EOF;
>           if (left < 0)
Michael Niedermayer Sept. 30, 2023, 4:32 p.m. UTC | #2 
On Fri, Sep 29, 2023 at 08:41:23PM -0300, James Almer wrote:
> On 9/29/2023 8:19 PM, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long'
> > Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/cafdec.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
> > index e92e3279fc6..0e50a3cfe68 100644
> > --- a/libavformat/cafdec.c
> > +++ b/libavformat/cafdec.c
> > @@ -435,7 +435,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
> >       /* don't read past end of data chunk */
> >       if (caf->data_size > 0) {
> > -        left = (caf->data_start + caf->data_size) - avio_tell(pb);
> > +        left = av_sat_add64(caf->data_start, caf->data_size) - avio_tell(pb);
> 
> avio_tell(pb) here is guaranteed to be bigger than caf->data_start, which is
> the offset where the DATA chunk starts, so the result of this calculation
> will be <= INT64_MAX even if you don't saturate it and instead cast it to
> uint64_t. Nonetheless, if the DATA chunk ends at an offset that would not
> fit in an int64_t, then we can't parse it to begin with due to AVIOContext
> API limitations.
> 

> Maybe we should just abort in read_header() if data_start + data_size >
> INT64_MAX, instead of pretending we can parse the file, invalid or not, by
> saturating values.

yes ill try that

thx

[...]
Michael Niedermayer March 25, 2024, 10:54 p.m. UTC | #3 
On Sat, Sep 30, 2023 at 06:32:07PM +0200, Michael Niedermayer wrote:
> On Fri, Sep 29, 2023 at 08:41:23PM -0300, James Almer wrote:
> > On 9/29/2023 8:19 PM, Michael Niedermayer wrote:
> > > Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long'
> > > Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464
> > > 
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >   libavformat/cafdec.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
> > > index e92e3279fc6..0e50a3cfe68 100644
> > > --- a/libavformat/cafdec.c
> > > +++ b/libavformat/cafdec.c
> > > @@ -435,7 +435,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
> > >       /* don't read past end of data chunk */
> > >       if (caf->data_size > 0) {
> > > -        left = (caf->data_start + caf->data_size) - avio_tell(pb);
> > > +        left = av_sat_add64(caf->data_start, caf->data_size) - avio_tell(pb);
> > 
> > avio_tell(pb) here is guaranteed to be bigger than caf->data_start, which is
> > the offset where the DATA chunk starts, so the result of this calculation
> > will be <= INT64_MAX even if you don't saturate it and instead cast it to
> > uint64_t. Nonetheless, if the DATA chunk ends at an offset that would not
> > fit in an int64_t, then we can't parse it to begin with due to AVIOContext
> > API limitations.
> > 
> 
> > Maybe we should just abort in read_header() if data_start + data_size >
> > INT64_MAX, instead of pretending we can parse the file, invalid or not, by
> > saturating values.
> 
> yes ill try that

ossfuzz moved the testcases all to another unrelated issues (62276)

ill apply this as suggested with the check in read_header() below:

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 72809fd1de2..07a2939a7a6 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -343,6 +343,9 @@ static int read_header(AVFormatContext *s)
             avio_skip(pb, 4); /* edit count */
             caf->data_start = avio_tell(pb);
             caf->data_size  = size < 0 ? -1 : size - 4;
+            if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start)
+                return AVERROR_INVALIDDATA;
+
             if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL))
                 avio_skip(pb, caf->data_size);
             found_data = 1;

[...]
diff mbox series

Patch

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index e92e3279fc6..0e50a3cfe68 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -435,7 +435,7 @@  static int read_packet(AVFormatContext *s, AVPacket *pkt)
 
     /* don't read past end of data chunk */
     if (caf->data_size > 0) {
-        left = (caf->data_start + caf->data_size) - avio_tell(pb);
+        left = av_sat_add64(caf->data_start, caf->data_size) - avio_tell(pb);
         if (!left)
             return AVERROR_EOF;
         if (left < 0)