From patchwork Wed Jun 7 23:48:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 42002 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c526:b0:117:ac03:c9de with SMTP id gm38csp804737pzb; Wed, 7 Jun 2023 16:48:52 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ56Sjt/s3owPE24+qi1GvTclMN0DQpjunpKCsNGcO60QQOCK1wtk9EtFubTHgkmQHMccDLL X-Received: by 2002:a17:907:6d98:b0:960:c5fe:a36a with SMTP id sb24-20020a1709076d9800b00960c5fea36amr8109869ejc.61.1686181731959; Wed, 07 Jun 2023 16:48:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686181731; cv=none; d=google.com; s=arc-20160816; b=j0ZoyH1pajBj40E1oZCVQo2Qojz9XGs3C5oOyT33KZAJkyfvf2oOfKxF1M24SYMT/Q +eiSKjUmLM8IGN+FErTYbsAttroWLc8PzLty80tkKwQjNa96z0D3QxJm1AQFmXelTsGM oE9YesPPLxAA07HDtMtsTiiWTi/Rp1+7CSRR6HVokto2wmHbVBplXutriTu2wMMKJbtL LgvHkU0eFgzaFxCAL3vthD7h9H2vxjWsnewqnw7hLU0q1eY02UKkJeyy86WBfZTbwIxy I8Ub/GuYqpzlQ5oc0m0HM/D1amYQK0d1bKoYhJmo3gXCwaLte4jbf94CAuXFX0XxINKx y10w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=/fnPWKNfw4lkp3JdpGf7t1K/nZ24UcdTERVtUxP9sVo=; b=tVJrQZcUFs3jdN/N4CheiZ27OFi/WsQRTnQD9ln23Dp3ekdHFhUTkUK6QaZZVrbFvg YWuSgLw3LSYLDxKkgG9LkakgzUKqFzH67+fzUKP5vhNQ8QJCY+cCJqFWimeZ30lR+wil C3rivT/WxPGQq4Bff/bGO5tSPAo+x9k4S/GNATGtORbSqHrtSn00d5fGCewblz54VE5w zkQJuxyu5Jqgl1jliJibtQd1v513lA1wdg5ukLXG/Ey8Q/r3BDKPi5aOrRNvVUPgCBXl +8rBAAVSRagOdDP2MZQqbCCi3dh+f9IeuBKChoV61K43OVdw/sVB8bKif1Wbt7TnUEHe oxFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id qf13-20020a1709077f0d00b00977cc7bae82si7120570ejc.365.2023.06.07.16.48.31; Wed, 07 Jun 2023 16:48:51 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A3EFB68C157; Thu, 8 Jun 2023 02:48:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-02-1.mymagenta.at (mail-02-1.mymagenta.at [80.109.253.248]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 666AC68BF45 for ; Thu, 8 Jun 2023 02:48:12 +0300 (EEST) Received: from [192.168.232.136] (helo=ren-mail-psmtp-mg02.) by mail-02.mymagenta.at with esmtp (Exim 4.93) (envelope-from ) id 1q72st-00ElJh-Nh for ffmpeg-devel@ffmpeg.org; Thu, 08 Jun 2023 01:48:11 +0200 Received: from localhost ([84.115.40.24]) by ren-mail-psmtp-mg02. with ESMTP id 72suqPCjvbZLD72suqq4ZK; Thu, 08 Jun 2023 01:48:12 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 84.115.40.24 X-CNFS-Analysis: v=2.4 cv=Ufwy9IeN c=1 sm=1 tr=0 ts=6481173c a=4thelYDX6rwh+ygQwvsI+Q==:117 a=4thelYDX6rwh+ygQwvsI+Q==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8 a=7krpFj64lsSjrekl2nYA:9 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 8 Jun 2023 01:48:09 +0200 Message-Id: <20230607234810.9283-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4xfJ9Ej3rMygdkwy+suMV0nNUwJBDLeu4r2oKzsAuHxDqH9YjW1Gvf+3+Fkx9h3o5KLQOjzMiFYhMdcjs3LrlaPDdA0Ik1hV9dg4XEQKsmX8A5fhHnb1hO 6lFlGB+jn4UpnfsQW9rrzaCh0tHtzO06oewmcyM6gDDBRcgjJ6ZqEYybvy6mOukVt3F5kFRsyo+pqA== Subject: [FFmpeg-devel] [PATCH 1/2] avformat/jpegxl_probe: check length instead of blindly reading X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: m/3/pYi84hfD Enable the checked bitreader to avoid overread. Also add a few checks in loops and between blocks so we exit instead of continued execution. Alternatively we could add manual checks so that no overread can happen. This would be slightly faster but a bit more work and a bit more fragile Fixes: Out of array accesses Fixes: 59640/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-6584117345779712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_probe.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 1d9c014f19..e15e9eee49 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -21,6 +21,7 @@ #include "jpegxl_probe.h" +#define UNCHECKED_BITSTREAM_READER 0 #define BITSTREAM_READER_LE #include "libavcodec/get_bits.h" @@ -293,6 +294,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid skip_bits_long(gb, 1); } } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (!all_default) { jpegxl_skip_bit_depth(gb); @@ -307,6 +310,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid for (uint32_t i = 0; i < num_extra_channels; i++) { if (jpegxl_read_extra_channel_info(gb, validate_level) < 0) return -1; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } xyb_encoded = get_bits1(gb); @@ -336,8 +341,11 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid return -1; if (primaries == FF_JPEGXL_PR_CUSTOM) { /* ux/uy values for r,g,b */ - for (int i = 0; i < 6; i++) + for (int i = 0; i < 6; i++) { jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + } } } } @@ -363,10 +371,14 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid skip_bits_long(gb, 16 + 16 + 1 + 16); extensions = jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (extensions) { for (int i = 0; i < 64; i++) { if (extensions & (UINT64_C(1) << i)) jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } } } From patchwork Wed Jun 7 23:48:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 42001 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c526:b0:117:ac03:c9de with SMTP id gm38csp804699pzb; Wed, 7 Jun 2023 16:48:47 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6Ae31+45RFJnnhY+16g7orkXQIOdRvnq/J18MmOZBCOt6ICvRha1xgFZjO+L8Ae7luEcjy X-Received: by 2002:a17:907:160b:b0:977:d660:c5aa with SMTP id hb11-20020a170907160b00b00977d660c5aamr441222ejc.31.1686181726988; Wed, 07 Jun 2023 16:48:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686181726; cv=none; d=google.com; s=arc-20160816; b=zREsy1SPtO61yEMbA4oDohEmM1Y7bl1yvw2Z59xNQOri4jY+IzOi7ds7/wEMEwV+2+ SpillfJMrinC4Fq3OBFzTz46SEQbVv1VR+zDKOj33VQuYlQu1DbZQpWbh0bgVy2S6cd7 c7qb5+gAIm4076cROFYGq2dB4sothcOnz/FcrZXNon/Kt/diiRiVUOpwrwbbwzX0QQp6 TXOkdy26LgOCzB4CLszEIGq/7dxTiFWhAO1QXSv+Q5n+ZkWqnU/wGKowi2g9g/ixL+JE 6jZIWmIOwgJRJmhp2musWWRW2WaYshllEQuMqp07U3y9gH07e316lN0EQZ0L5z4jIJVD 6Eww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=pcC+pGNtNr5tr6pQYFGTZYLLUwTXTnZQg2DET+JyhgU=; b=xQVRsNdgLz8USghN4dx9x7hgDmfqIyaRT7fFP++KIo/yzfMtgLu0GPvEJoAISEXJYX tkAKhHII2+1XjvY51cNKzKQ6yvsBfT/CzQmB0NlNXhOhYi4qsMbavxhsyxaU2X3AJvx5 aNN68X0EKD6hciq2lISs3FKheVcpftUrg/MSrYV5rwYXDbMONv8P0bjNputIZrnOhkG6 a+Aqb2uvaYPXkJwpPdfuAVGS1Mx5FNRIm5C5Hk0m03B9Pc0Pud20OuARVatOBHE9wWOp id7EtdP9XKo7Qk+pTASuS3YxnNLEn7rINgc9445ttVRk0LNYqvFacbrptZWONwhssW2Z eOaA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id gi37-20020a1709070ca500b0097888bd9710si1046592ejc.1006.2023.06.07.16.48.21; Wed, 07 Jun 2023 16:48:46 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9BFF968BA8D; Thu, 8 Jun 2023 02:48:18 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-01-1.mymagenta.at (mail-01-1.mymagenta.at [80.109.253.246]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6314C68BF09 for ; Thu, 8 Jun 2023 02:48:12 +0300 (EEST) Received: from [192.168.232.135] (helo=ren-mail-psmtp-mg01.) by mail-01.mymagenta.at with esmtp (Exim 4.93) (envelope-from ) id 1q72st-002Lhk-6I for ffmpeg-devel@ffmpeg.org; Thu, 08 Jun 2023 01:48:11 +0200 Received: from localhost ([84.115.40.24]) by ren-mail-psmtp-mg01. with ESMTP id 72ssqZt77OG5Z72ssqFVUG; Thu, 08 Jun 2023 01:48:10 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 84.115.40.24 X-CNFS-Analysis: v=2.4 cv=KJo5sHJo c=1 sm=1 tr=0 ts=6481173a a=4thelYDX6rwh+ygQwvsI+Q==:117 a=4thelYDX6rwh+ygQwvsI+Q==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=pcnzj7UaukMZLrmIrvkA:9 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 8 Jun 2023 01:48:10 +0200 Message-Id: <20230607234810.9283-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230607234810.9283-1-michael@niedermayer.cc> References: <20230607234810.9283-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4xfGXIrv4BwF7vogd5cQX1HSZNlq9cmsHumqABhEtbusIsqCDSOU67mrkY7FpTtYQjhPVwCovTylr9ZWyi9H2+BsPiQIGaQ3JgAlN7gVz5I16+vfQ6FTSr zRF9zTjWK2O7DWvTt4s7ZHFkfcCZ6VDXWK68xyLCHRrqrMzGkgiiSajtYyYx59DejIYiiG/0i7As2A== Subject: [FFmpeg-devel] [PATCH 2/2] avformat/jpegxl_probe: Forward error codes X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: LvoV8HLIKeMv Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_probe.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index e15e9eee49..88492cb772 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -261,8 +261,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid if (get_bits_long(gb, 16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) return -1; - if (jpegxl_read_size_header(gb) < 0 && validate_level) - return -1; + if ((ret = jpegxl_read_size_header(gb)) < 0 && validate_level) + return ret; all_default = get_bits1(gb); if (!all_default) @@ -281,8 +281,9 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid /* preview header */ if (get_bits1(gb)) { - if (jpegxl_read_preview_header(gb) < 0) - return -1; + ret = jpegxl_read_preview_header(gb); + if (ret < 0) + return ret; } /* animation header */ @@ -308,8 +309,9 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid if (num_extra_channels > 4 && validate_level) return -1; for (uint32_t i = 0; i < num_extra_channels; i++) { - if (jpegxl_read_extra_channel_info(gb, validate_level) < 0) - return -1; + ret = jpegxl_read_extra_channel_info(gb, validate_level); + if (ret < 0) + return ret; if (get_bits_left(gb) < 1) return AVERROR_INVALIDDATA; }