diff mbox series

[FFmpeg-devel,5/9] avformat/mov: Check extend and base offset

Message ID 20240616230831.912377-5-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/9] avcodec/targaenc: Allocate space for the palette | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished

Commit Message

Michael Niedermayer June 16, 2024, 11:08 p.m. UTC 
Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

James Almer June 18, 2024, 12:41 a.m. UTC | #1 
On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/mov.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 9016cd5ad08..46cbce98040 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>           }
>           for (int j = 0; j < extent_count; j++) {
>               if (rb_size(pb, &extent_offset, offset_size) < 0 ||
> -                rb_size(pb, &extent_length, length_size) < 0)
> +                rb_size(pb, &extent_length, length_size) < 0 ||
> +                base_offset < 0 || extent_offset < 0 ||
> +                base_offset + (uint64_t)extent_offset > INT64_MAX)

You can do the negative value check directly in rb_size() instead. And 
I'd prefer the other check to be (base_offset > INT64_MAX - extent_offset).

>                   return AVERROR_INVALIDDATA;
>               if (offset_type == 1)
>                   c->heif_item[i].is_idat_relative = 1;
Rémi Denis-Courmont June 18, 2024, 7:07 a.m. UTC | #2 
Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>
>Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>---
> libavformat/mov.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/libavformat/mov.c b/libavformat/mov.c
>index 9016cd5ad08..46cbce98040 100644
>--- a/libavformat/mov.c
>+++ b/libavformat/mov.c
>@@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>         }
>         for (int j = 0; j < extent_count; j++) {
>             if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>-                rb_size(pb, &extent_length, length_size) < 0)
>+                rb_size(pb, &extent_length, length_size) < 0 ||
>+                base_offset < 0 || extent_offset < 0 ||
>+                base_offset + (uint64_t)extent_offset > INT64_MAX)

Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?

>                 return AVERROR_INVALIDDATA;
>             if (offset_type == 1)
>                 c->heif_item[i].is_idat_relative = 1;
Andreas Rheinhardt June 18, 2024, 7:10 a.m. UTC | #3 
Rémi Denis-Courmont:
> 
> 
> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavformat/mov.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 9016cd5ad08..46cbce98040 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>         }
>>         for (int j = 0; j < extent_count; j++) {
>>             if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>> -                rb_size(pb, &extent_length, length_size) < 0)
>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>> +                base_offset < 0 || extent_offset < 0 ||
>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
> 
> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
> 

+1

>>                 return AVERROR_INVALIDDATA;
>>             if (offset_type == 1)
>>                 c->heif_item[i].is_idat_relative = 1;
James Almer June 19, 2024, 12:34 p.m. UTC | #4 
On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
> 
> 
> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavformat/mov.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 9016cd5ad08..46cbce98040 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>          }
>>          for (int j = 0; j < extent_count; j++) {
>>              if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>> -                rb_size(pb, &extent_length, length_size) < 0)
>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>> +                base_offset < 0 || extent_offset < 0 ||
>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
> 
> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?

You mean the __builtin_*_overflow() ones?

> 
>>                  return AVERROR_INVALIDDATA;
>>              if (offset_type == 1)
>>                  c->heif_item[i].is_idat_relative = 1;
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Rémi Denis-Courmont June 19, 2024, 1:08 p.m. UTC | #5 
Le 19 juin 2024 14:34:59 GMT+02:00, James Almer <jamrial@gmail.com> a écrit :
>On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
>> 
>> 
>> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>> 
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavformat/mov.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>> index 9016cd5ad08..46cbce98040 100644
>>> --- a/libavformat/mov.c
>>> +++ b/libavformat/mov.c
>>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>>          }
>>>          for (int j = 0; j < extent_count; j++) {
>>>              if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>>> -                rb_size(pb, &extent_length, length_size) < 0)
>>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>>> +                base_offset < 0 || extent_offset < 0 ||
>>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
>> 
>> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
>
>You mean the __builtin_*_overflow() one?

I'd rather the ckd_*() stuff but the differences are mostly stylistic.

>>>                  return AVERROR_INVALIDDATA;
>>>              if (offset_type == 1)
>>>                  c->heif_item[i].is_idat_relative = 1;
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> 
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>_______________________________________________
>ffmpeg-devel mailing list
>ffmpeg-devel@ffmpeg.org
>https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>To unsubscribe, visit link above, or email
>ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer June 20, 2024, 10:54 p.m. UTC | #6 
On Wed, Jun 19, 2024 at 03:08:58PM +0200, Rémi Denis-Courmont wrote:
> 
> 
> Le 19 juin 2024 14:34:59 GMT+02:00, James Almer <jamrial@gmail.com> a écrit :
> >On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
> >> 
> >> 
> >> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
> >>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
> >>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
> >>> 
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >>> ---
> >>> libavformat/mov.c | 4 +++-
> >>> 1 file changed, 3 insertions(+), 1 deletion(-)
> >>> 
> >>> diff --git a/libavformat/mov.c b/libavformat/mov.c
> >>> index 9016cd5ad08..46cbce98040 100644
> >>> --- a/libavformat/mov.c
> >>> +++ b/libavformat/mov.c
> >>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >>>          }
> >>>          for (int j = 0; j < extent_count; j++) {
> >>>              if (rb_size(pb, &extent_offset, offset_size) < 0 ||
> >>> -                rb_size(pb, &extent_length, length_size) < 0)
> >>> +                rb_size(pb, &extent_length, length_size) < 0 ||
> >>> +                base_offset < 0 || extent_offset < 0 ||
> >>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
> >> 
> >> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
> >
> >You mean the __builtin_*_overflow() one?
> 
> I'd rather the ckd_*() stuff but the differences are mostly stylistic.

Whatever is used must be supported by all currently supported platforms
that especially also includes past releases we backport things to.

In practice that means continuing to use the classical way to check
as well as our av_sat_addXY() stuff.

We cannot backport things that depend on C23 as that was not a requirement
in the past. So I also cannot use this in bug fixes.

thx

[...]
James Almer June 20, 2024, 10:58 p.m. UTC | #7 
On 6/20/2024 7:54 PM, Michael Niedermayer wrote:
> On Wed, Jun 19, 2024 at 03:08:58PM +0200, Rémi Denis-Courmont wrote:
>>
>>
>> Le 19 juin 2024 14:34:59 GMT+02:00, James Almer <jamrial@gmail.com> a écrit :
>>> On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
>>>>
>>>>
>>>> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>>>>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>>>>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>>>>
>>>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>>> ---
>>>>> libavformat/mov.c | 4 +++-
>>>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>>>> index 9016cd5ad08..46cbce98040 100644
>>>>> --- a/libavformat/mov.c
>>>>> +++ b/libavformat/mov.c
>>>>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>>>>           }
>>>>>           for (int j = 0; j < extent_count; j++) {
>>>>>               if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>>>>> -                rb_size(pb, &extent_length, length_size) < 0)
>>>>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>>>>> +                base_offset < 0 || extent_offset < 0 ||
>>>>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
>>>>
>>>> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
>>>
>>> You mean the __builtin_*_overflow() one?
>>
>> I'd rather the ckd_*() stuff but the differences are mostly stylistic.
> 
> Whatever is used must be supported by all currently supported platforms
> that especially also includes past releases we backport things to.
> 
> In practice that means continuing to use the classical way to check
> as well as our av_sat_addXY() stuff.
> 
> We cannot backport things that depend on C23 as that was not a requirement
> in the past. So I also cannot use this in bug fixes.

This change is ok for now (With my suggestion amended to it). We can add 
wrappers around the GCC builtins and C23 ckd_* macros later (With pure C 
fallbacks), and start using them for future changes.

> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9016cd5ad08..46cbce98040 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -8131,7 +8131,9 @@  static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         }
         for (int j = 0; j < extent_count; j++) {
             if (rb_size(pb, &extent_offset, offset_size) < 0 ||
-                rb_size(pb, &extent_length, length_size) < 0)
+                rb_size(pb, &extent_length, length_size) < 0 ||
+                base_offset < 0 || extent_offset < 0 ||
+                base_offset + (uint64_t)extent_offset > INT64_MAX)
                 return AVERROR_INVALIDDATA;
             if (offset_type == 1)
                 c->heif_item[i].is_idat_relative = 1;