[FFmpeg-devel] pnmdec: make sure v is capped by maxval

Message ID	7fb0049c-c650-9f1a-bf9d-77b5d40e61af@googlemail.com
State	Accepted
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> To: ffmpeg-devel@ffmpeg.org References: <665e0d12-f81d-3e6a-6f4a-2feccf1b20ec@googlemail.com> <20161109101023.GD4602@nb4> <6880ed2d-64e0-3a28-9f67-06d05cb68f14@googlemail.com> <20161109205546.GI4602@nb4> <3b754390-2fc5-5594-54f3-2e2bd4d95f08@googlemail.com> <20161110012644.GJ4602@nb4> Message-ID: <7fb0049c-c650-9f1a-bf9d-77b5d40e61af@googlemail.com> Date: Thu, 10 Nov 2016 20:52:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161110012644.GJ4602@nb4> Content-Type: multipart/mixed; boundary="------------15437838E310B2199533656F" Subject: Re: [FFmpeg-devel] [PATCH] pnmdec: make sure v is capped by maxval Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

7fb0049c-c650-9f1a-bf9d-77b5d40e61af@googlemail.com

State

Accepted

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
To: ffmpeg-devel@ffmpeg.org
References: <665e0d12-f81d-3e6a-6f4a-2feccf1b20ec@googlemail.com>
	<20161109101023.GD4602@nb4>
	<6880ed2d-64e0-3a28-9f67-06d05cb68f14@googlemail.com>
	<20161109205546.GI4602@nb4>
	<3b754390-2fc5-5594-54f3-2e2bd4d95f08@googlemail.com>
	<20161110012644.GJ4602@nb4>
Message-ID: <7fb0049c-c650-9f1a-bf9d-77b5d40e61af@googlemail.com>
Date: Thu, 10 Nov 2016 20:52:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
In-Reply-To: <20161110012644.GJ4602@nb4>
Content-Type: multipart/mixed;
	boundary="------------15437838E310B2199533656F"
Subject: Re: [FFmpeg-devel] [PATCH] pnmdec: make sure v is capped by maxval
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Andreas Cadhalpun Nov. 10, 2016, 7:52 p.m. UTC

On 10.11.2016 02:26, Michael Niedermayer wrote:
> On Wed, Nov 09, 2016 at 10:46:03PM +0100, Andreas Cadhalpun wrote:
>>  pnmdec.c |    4 ++++
>>  1 file changed, 4 insertions(+)
>> a970cb981be02ea692d0bf2e68976077f14f2de3  0001-pnmdec-make-sure-v-is-capped-by-maxval.patch
>> From f315a3cfe35377a2638dc2294200a288408dc784 Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> Date: Wed, 9 Nov 2016 01:09:35 +0100
>> Subject: [PATCH] pnmdec: make sure v is capped by maxval
>>
>> Otherwise put_bits can be called with a value that doesn't fit in the
>> sample_len, causing an assertion failure.
>> ---
>>  libavcodec/pnmdec.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
>> index ca97cc3..0f6a895 100644
>> --- a/libavcodec/pnmdec.c
>> +++ b/libavcodec/pnmdec.c
>> @@ -144,6 +144,10 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
>>                      } else {
>>                          /* read a sequence of digits */
>>                          do {
>> +                            if (v > (INT_MAX - c) / 10 || 10 * v + c > s->maxval) {
>> +                                av_log(avctx, AV_LOG_ERROR, "value 10 * %d + %d larger than maxval %d\n", v, c, s->maxval);
>> +                                return AVERROR_INVALIDDATA;
>> +                            }
> 
> this test should nt be inside the loop
> you can try to benchmark with START/STOP_TIMER to see what effect
> this has (i didnt try but i expect it to be bad), this is the
> innermost loop of the decoder
> 
> you can just unroll the loop by 5, thats the max number of iterations
> i think, which avoids the overflow
> it also should make the code faster

Done, new patch attached.

> iam reading in man ppm and others:
> "The maximum color value (Maxval), again in ASCII decimal.  Must be less than 65536"

Indeed, I'll send a separate match limiting maxval.

Best regards,
Andreas

Comments

Michael Niedermayer Nov. 11, 2016, 1:03 a.m. UTC | #1

On Thu, Nov 10, 2016 at 08:52:29PM +0100, Andreas Cadhalpun wrote:
> On 10.11.2016 02:26, Michael Niedermayer wrote:
> > On Wed, Nov 09, 2016 at 10:46:03PM +0100, Andreas Cadhalpun wrote:
> >>  pnmdec.c |    4 ++++
> >>  1 file changed, 4 insertions(+)
> >> a970cb981be02ea692d0bf2e68976077f14f2de3  0001-pnmdec-make-sure-v-is-capped-by-maxval.patch
> >> From f315a3cfe35377a2638dc2294200a288408dc784 Mon Sep 17 00:00:00 2001
> >> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> >> Date: Wed, 9 Nov 2016 01:09:35 +0100
> >> Subject: [PATCH] pnmdec: make sure v is capped by maxval
> >>
> >> Otherwise put_bits can be called with a value that doesn't fit in the
> >> sample_len, causing an assertion failure.
> >> ---
> >>  libavcodec/pnmdec.c | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >> diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
> >> index ca97cc3..0f6a895 100644
> >> --- a/libavcodec/pnmdec.c
> >> +++ b/libavcodec/pnmdec.c
> >> @@ -144,6 +144,10 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
> >>                      } else {
> >>                          /* read a sequence of digits */
> >>                          do {
> >> +                            if (v > (INT_MAX - c) / 10 || 10 * v + c > s->maxval) {
> >> +                                av_log(avctx, AV_LOG_ERROR, "value 10 * %d + %d larger than maxval %d\n", v, c, s->maxval);
> >> +                                return AVERROR_INVALIDDATA;
> >> +                            }
> > 
> > this test should nt be inside the loop
> > you can try to benchmark with START/STOP_TIMER to see what effect
> > this has (i didnt try but i expect it to be bad), this is the
> > innermost loop of the decoder
> > 
> > you can just unroll the loop by 5, thats the max number of iterations
> > i think, which avoids the overflow
> > it also should make the code faster
> 
> Done, new patch attached.
> 
> > iam reading in man ppm and others:
> > "The maximum color value (Maxval), again in ASCII decimal.  Must be less than 65536"
> 
> Indeed, I'll send a separate match limiting maxval.
> 
> Best regards,
> Andreas
> 

>  pnmdec.c |   10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 0dd61abddc422dd2ac37356f8271822d7e801b8e  0001-pnmdec-make-sure-v-is-capped-by-maxval.patch
> From 2d402d8a38223b8c3c58d3e71e734932c9bdadae Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> Date: Wed, 9 Nov 2016 01:09:35 +0100
> Subject: [PATCH] pnmdec: make sure v is capped by maxval
> 
> Otherwise put_bits can be called with a value that doesn't fit in the
> sample_len, causing an assertion failure.

LGTM

thx

[...]

Andreas Cadhalpun Nov. 12, 2016, 12:40 a.m. UTC | #2

On 11.11.2016 02:03, Michael Niedermayer wrote:
> On Thu, Nov 10, 2016 at 08:52:29PM +0100, Andreas Cadhalpun wrote:
>>  pnmdec.c |   10 +++++++---
>>  1 file changed, 7 insertions(+), 3 deletions(-)
>> 0dd61abddc422dd2ac37356f8271822d7e801b8e  0001-pnmdec-make-sure-v-is-capped-by-maxval.patch
>> From 2d402d8a38223b8c3c58d3e71e734932c9bdadae Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> Date: Wed, 9 Nov 2016 01:09:35 +0100
>> Subject: [PATCH] pnmdec: make sure v is capped by maxval
>>
>> Otherwise put_bits can be called with a value that doesn't fit in the
>> sample_len, causing an assertion failure.
> 
> LGTM

Pushed.

Best regards,
Andreas

From 2d402d8a38223b8c3c58d3e71e734932c9bdadae Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Wed, 9 Nov 2016 01:09:35 +0100
Subject: [PATCH] pnmdec: make sure v is capped by maxval

Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.
---
 libavcodec/pnmdec.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
index ca97cc3..958c5e4 100644
--- a/libavcodec/pnmdec.c
+++ b/libavcodec/pnmdec.c
@@ -43,7 +43,7 @@  static int pnm_decode_frame(AVCodecContext *avctx, void *data,
     int buf_size         = avpkt->size;
     PNMContext * const s = avctx->priv_data;
     AVFrame * const p    = data;
-    int i, j, n, linesize, h, upgrade = 0, is_mono = 0;
+    int i, j, k, n, linesize, h, upgrade = 0, is_mono = 0;
     unsigned char *ptr;
     int components, sample_len, ret;
 
@@ -143,10 +143,14 @@  static int pnm_decode_frame(AVCodecContext *avctx, void *data,
                         v = (*s->bytestream++)&1;
                     } else {
                         /* read a sequence of digits */
-                        do {
+                        for (k = 0; k < 5 && c <= 9; k += 1) {
                             v = 10*v + c;
                             c = (*s->bytestream++) - '0';
-                        } while (c <= 9);
+                        }
+                        if (v > s->maxval) {
+                            av_log(avctx, AV_LOG_ERROR, "value %d larger than maxval %d\n", v, s->maxval);
+                            return AVERROR_INVALIDDATA;
+                        }
                     }
                     if (sample_len == 16) {
                         ((uint16_t*)ptr)[j] = (((1<<sample_len)-1)*v + (s->maxval>>1))/s->maxval;
-- 
2.10.2

[FFmpeg-devel] pnmdec: make sure v is capped by maxval

Commit Message

Comments

Patch