[FFmpeg-devel] [PATCH 7/7] avcodec/cbs_jpeg: Try to move the read entity to one side in a test

Michael Niedermayer michael at niedermayer.cc
Tue Jul 2 21:29:43 EEST 2024 

On Fri, May 03, 2024 at 12:03:57AM +0200, Michael Niedermayer wrote:
> On Thu, May 02, 2024 at 08:58:17AM +0200, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > Fixes: CID1439654 Untrusted pointer read
> > > 
> > > Sponsored-by: Sovereign Tech Fund
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > >  libavcodec/cbs_jpeg.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c
> > > index b1b58dcd65e..406147c082c 100644
> > > --- a/libavcodec/cbs_jpeg.c
> > > +++ b/libavcodec/cbs_jpeg.c
> > > @@ -146,13 +146,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
> > >              }
> > >          } else {
> > >              i = start;
> > > -            if (i + 2 > frag->data_size) {
> > > +            if (i > frag->data_size - 2) {
> > >                  av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: "
> > >                         "truncated at %02x marker.\n", marker);
> > >                  return AVERROR_INVALIDDATA;
> > >              }
> > >              length = AV_RB16(frag->data + i);
> > > -            if (i + length > frag->data_size) {
> > > +            if (length > frag->data_size - i) {
> > >                  av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: "
> > >                         "truncated at %02x marker segment.\n", marker);
> > >                  return AVERROR_INVALIDDATA;
> > 
> > You should always mention when you are not fixing bugs in our code, but
> > rather intend to apply workaround for coverity crazyness (i.e. the
> > requirement that reading values in non-native endianness needs to be
> > sanitized).
> 
> writing code like
> if (i + length > frag->data_size)
> 
> is IMHO not proper and that has nothing to do with coverity
> the reason why this is not proper is that i + length could in
> principle overflow. It depends on teh whole loop and calling code
> if that is possible or not.
> 
> to check length, length should be alone on one side of the check

I will add this to the commit message:
"   The checked entity should be alone on one side of the check, this avoids
    complex considerations of overflows.
    This fixes a issue of bad style in our code and a coverity issue.
"

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240702/26bb34e7/attachment.sig>

More information about the ffmpeg-devel mailing list