From patchwork Mon Jun 12 13:22:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leo Izen X-Patchwork-Id: 42050 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c526:b0:117:ac03:c9de with SMTP id gm38csp2966454pzb; Mon, 12 Jun 2023 06:23:12 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7GbhpnmFEWHuRXDXSXjK2smLShBTbQIMCDoaCQY7oEDALj6JHEk2GHiBkeQfiWkfELGxFz X-Received: by 2002:a17:907:2682:b0:96f:8666:5fc4 with SMTP id bn2-20020a170907268200b0096f86665fc4mr11293069ejc.50.1686576192431; Mon, 12 Jun 2023 06:23:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686576192; cv=none; d=google.com; s=arc-20160816; b=QQbEWUP3ITCuaPY15oB9z5ETfGsBRWZnE4J3tjsJkbMN28ZA28KZfvQKtrsz8HTxDD mlX+eJRrYO43LVefTzj2mgoNb5WCm6a1WGbuBGliwgU2UCAvWPVLhioNu7Fx+SMPMAsN qhuDsG3VvczI6Jm8UoTcYU6MsbCvTufr1PZGAN3IuevqOSMzLlJ77tXwRqcPXWOmMQKR /2tPw+DVYl1EsnoqcnTEnnaqH1HKpuufVrwfZ2GSKBjmp9lP9u2s2Vu5KPiFUap3O1fV N/IlP3FKE5ctyOuZMJgSnwNZxyBco9OARiw9qF/DYbsr/TpJL1xPZwDVdJL9Cu3zIp7r laPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=P92YzRvGkUzcxW+1tIJ3I79ESW3W09UquPf8Iom9J6k=; b=lM8PD5STHPVbOv1TFMQPhbd5nRkFFXZDPkygao7QD6nkTQZolxBqoxOsSrd9DfbKmM ilsk/vMclN+qAAwrnPI7NaC41ZgBglbdWz25lVQFhiIUG9xjwOBCKi3otHtmVGkV/Dta Pbn/1lLJGrWfyMR9cheb2DmijkwklQWUQsGFMCwlgpFrheuU75rYM/MP8CLXUoil0I4a cJi4HPoDUa9XP8oIavGiodMbRQpxfUbFf+cpxgf9mNI9koAaSJkQatK9t1f19JfRgt0e UoukkMDTfZKGt+56dmT3Q2B6d7P8YnHpqJ/XnQQK/aV8fqliiSlqoUWZWqHFd22Oecfx hKsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20221208 header.b=ZVQaSmcu; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id g6-20020a170906594600b0097073f1c48bsi2040442ejr.179.2023.06.12.06.23.11; Mon, 12 Jun 2023 06:23:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20221208 header.b=ZVQaSmcu; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5F04268B7D1; Mon, 12 Jun 2023 16:23:08 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A354D68BEBA for ; Mon, 12 Jun 2023 16:23:01 +0300 (EEST) Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-56d42add116so56357b3.0 for ; Mon, 12 Jun 2023 06:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686576180; x=1689168180; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lhkSIRrccTW/T0mmA3FrrK+7suzEL9vezQgP+WHd2Lo=; b=ZVQaSmcuQ8MvjTLwPft9rXJ0BX3UM/mPxbKV6evP3QGBTdHliexGbhYNiCrMgbeD37 AMq2Tsnxn7sareInUUYg+4BHf/DHYhc9r3ye3a07eWEeUA0ECJuyyS3dN/pAGT8W1gyI i//BxoaqpXRt6llqkoV7Jm6XR+Hv+x4b9OuL8wDcsQ8sbGA6DsXHD96u5wgRH6UHnF2E N3/ZIgLuf3TSvzvDTrYLvtktOoVtK53w1K0tcd93sU53M/3s7/YYTAoZOvfzEmx7GAZU QuKkcP6G0HZMrnVR0KQ6cfQENrAjVULCOJfcrAy9IrHXZzRxbexayDfTCc1j6g142XKn B0ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686576180; x=1689168180; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lhkSIRrccTW/T0mmA3FrrK+7suzEL9vezQgP+WHd2Lo=; b=UdxSazqUP7uS6DpCo0uWy7MaWvJeZtHAHE/qGOmrQOpE33ZfcZMSVtCZrq7FEw797+ tQ8UA7VkoTqlnLUVhIU+HzJXNu1vlFlzQQKfl1zcKLkoIGQMzc8bNrbAz8HdjBnw9iu6 v2SFu7GNUSayPbzf4sQ4/WKGvthqO+KBBTDrbYCLQidxHsPuK9OKGj5+G2hwfkd0o+vS ajXVUqGk498iTaOy4AUN6UM4HCkqFEyO3wkIfCQIdJJsnHzE/Jube2Et3/HPLfdrrN1n RwscSVQTf2jbkiDdkP6yaP0QvUo20lnVmyUcqZVKD5Mpn6/yqBbLxZylqTvWZY65pRqy GhJg== X-Gm-Message-State: AC+VfDwF18rOnL9V2KQtp1WH6e8WH1jTr+Zvdfe1QoeDqPIm7DQdQOal MGeYkGd8Jmet4bYDGUpxv593giwH2dc= X-Received: by 2002:a81:1711:0:b0:561:1c43:c4c2 with SMTP id 17-20020a811711000000b005611c43c4c2mr6273024ywx.5.1686576179776; Mon, 12 Jun 2023 06:22:59 -0700 (PDT) Received: from gauss.local (c-98-224-219-15.hsd1.mi.comcast.net. [98.224.219.15]) by smtp.gmail.com with ESMTPSA id d5-20020a816805000000b00565374c5962sm2519022ywc.98.2023.06.12.06.22.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jun 2023 06:22:59 -0700 (PDT) From: Leo Izen To: ffmpeg-devel@ffmpeg.org Date: Mon, 12 Jun 2023 09:22:56 -0400 Message-ID: <20230612132256.84549-1-leo.izen@gmail.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Leo Izen Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: a0s8khoUwpOi This switches the jpegxl_collect_codestream_header function to use avcodec/bytestream2, which better enforces barriers, and should avoid overrunning buffers with jxlp boxes if the size is zero or if the size is so small the box is invalid. Signed-off-by: Leo Izen --- libavformat/jpegxl_anim_dec.c | 56 +++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c index 6ea6c46d8f..ec400c955c 100644 --- a/libavformat/jpegxl_anim_dec.c +++ b/libavformat/jpegxl_anim_dec.c @@ -28,6 +28,7 @@ #include #include +#include "libavcodec/bytestream.h" #define BITSTREAM_READER_LE #include "libavcodec/get_bits.h" @@ -48,62 +49,65 @@ typedef struct JXLAnimDemuxContext { * returns the number of bytes consumed from input, may be greater than input_len * if the input doesn't end on an ISOBMFF-box boundary */ -static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int input_len, uint8_t *buffer, int buflen, int *copied) { - const uint8_t *b = input_buffer; +static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int input_len, + uint8_t *buffer, int buflen, int *copied) { + GetByteContext gb; *copied = 0; + bytestream2_init(&gb, input_buffer, input_len); while (1) { uint64_t size; uint32_t tag; int head_size = 8; - if (b - input_buffer >= input_len - 16) + if (bytestream2_get_bytes_left(&gb) < 16) break; - size = AV_RB32(b); - b += 4; + size = bytestream2_get_be32(&gb); if (size == 1) { - size = AV_RB64(b); - b += 8; + size = bytestream2_get_be64(&gb); head_size = 16; } /* invalid ISOBMFF size */ - if (size > 0 && size <= head_size) + if (size && size <= head_size) return AVERROR_INVALIDDATA; - if (size > 0) + if (size) size -= head_size; - tag = AV_RL32(b); - b += 4; + tag = bytestream2_get_le32(&gb); if (tag == MKTAG('j', 'x', 'l', 'p')) { - b += 4; - size -= 4; + if (bytestream2_get_bytes_left(&gb) < 4) + break; + bytestream2_skip(&gb, 4); + if (size) { + if (size <= 4) + return AVERROR_INVALIDDATA; + size -= 4; + } } + /* + * size = 0 means "until EOF". this is legal but uncommon + * here we just set it to the remaining size of the probe buffer + */ + if (!size) + size = bytestream2_get_bytes_left(&gb); if (tag == MKTAG('j', 'x', 'l', 'c') || tag == MKTAG('j', 'x', 'l', 'p')) { - /* - * size = 0 means "until EOF". this is legal but uncommon - * here we just set it to the remaining size of the probe buffer - * which at this point should always be nonnegative - */ - if (size == 0 || size > input_len - (b - input_buffer)) - size = input_len - (b - input_buffer); - if (size > buflen - *copied) size = buflen - *copied; /* * arbitrary chunking of the payload makes this memcpy hard to avoid * in practice this will only be performed one or two times at most */ - memcpy(buffer + *copied, b, size); - *copied += size; + *copied += bytestream2_get_buffer(&gb, buffer + *copied, size); + } else { + bytestream2_skip(&gb, size); } - b += size; - if (b >= input_buffer + input_len || *copied >= buflen) + if (bytestream2_get_bytes_left(&gb) <= 0 || *copied >= buflen) break; } - return b - input_buffer; + return bytestream2_tell(&gb); } static int jpegxl_anim_probe(const AVProbeData *p)