[FFmpeg-devel] [PATCH] avcodec/parser: Check next against buffer index
Michael Niedermayer
michael at niedermayer.cc
Wed Mar 13 00:13:39 EET 2024
On Sat, Jun 24, 2023 at 10:13:48PM +0200, Reimar Döffinger wrote:
> Hi!
>
> > On 24 Jun 2023, at 21:14, Andreas Rheinhardt <andreas.rheinhardt at outlook.com> wrote:
> >
> > Michael Niedermayer:
> >> Fixes: out of array access
> >> Fixes: crash-0d640731c7da52415670eb47a2af701cbe2e1a3b
> >>
> >> Found-by: Catena cyber <contact at catenacyber.fr>
> >> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >> ---
> >> libavcodec/parser.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavcodec/parser.c b/libavcodec/parser.c
> >> index efc28b8918..db39e698ab 100644
> >> --- a/libavcodec/parser.c
> >> +++ b/libavcodec/parser.c
> >> @@ -214,7 +214,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> >> for (; pc->overread > 0; pc->overread--)
> >> pc->buffer[pc->index++] = pc->buffer[pc->overread_index++];
> >>
> >> - if (next > *buf_size)
> >> + if (next > *buf_size || (next < -pc->index && next != END_NOT_FOUND))
> >> return AVERROR(EINVAL);
> >>
> >> /* flush remaining if EOF */
> >
> > Could you provide more details about this? E.g. which parser is this
> > about at all? And how can we actually come in this situation at all?
> > (Whenever I looked at ff_combine_frame() I do not really understand what
> > its invariants are supposed to be.)
>
> Yeah, when I looked at it I also felt like it has all kinds of
> assumptions/preconditions without which it will break, but those
> are not documented. Not really reviewable for correctness.
> The change I proposed to fix the same issue was as below. But
> note that it is not based on actual understanding, just that generally
> index, overread_index and buf_size are updated together so I
> thought it suspicious buf_size was not updated on realloc failure.
> --- a/libavcodec/parser.c
> +++ b/libavcodec/parser.c
> @@ -252,6 +252,7 @@ int ff_combine_frame(ParseContext *pc, int next,
> AV_INPUT_BUFFER_PADDING_SIZE);
> if (!new_buffer) {
> av_log(NULL, AV_LOG_ERROR, "Failed to reallocate parser buffer to %d\n", next + pc->index + AV_INPUT_BUFFER_PADDING_SIZE);
> + *buf_size =
> pc->overread_index =
> pc->index = 0;
> return AVERROR(ENOMEM);
It appears neither of the 2 fixes was applied
this is not ideal
I will apply reimars patch
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240312/bdc2b843/attachment.sig>
More information about the ffmpeg-devel
mailing list