[FFmpeg-devel] [PATCH] libavformat/usmdec: add support for HCA stream decryption
Michael Niedermayer
michael at niedermayer.cc
Fri Jun 27 00:08:07 EEST 2025
Hi Pavel
On Thu, Jun 26, 2025 at 12:04:17AM -0700, Pavel Roslyy wrote:
> On Wed, Jun 25, 2025 at 3:40 PM Michael Niedermayer
> <michael at niedermayer.cc> wrote:
> >
> > [...]
> >
> > bug found, not applying yet
> >
> > ret = ff_alloc_extradata(par, pkt_size + key_buf);
> >
> > pkt_size + key_buf can overflow i think
>
> If I'm understanding right, I don't think it can.
> pkt_size = chunk_size - (ret - chunk_start) - padding_size;
>
> (ret - chunk_start) should be at least 24 at this point, and I don't think
> padding_size will be negative so pkt_size is at most UINT32_MAX - 24.
chunk_size is arbitrary 32bit thus pkt_size is arbitrary 32bit
>
> key_buf adds at most 10, which is not enough to overflow.
arbitrary uint32_t + 10 can overflow. Its a defined overflow
but the following allocation is then bad
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 1
"Used only once" - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250626/7b002ba0/attachment.sig>
More information about the ffmpeg-devel
mailing list