Fix several overflows in box and track processing #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oftheforest
force-pushed
the
checked-arithmetic
branch
from
47d26a0 to
241b9d6
Compare
oftheforest
force-pushed
the
checked-arithmetic
branch
from
241b9d6 to
686a7a3
Compare
jessa0
reviewed
Jan 24, 2023
jessa0
requested changes
Jan 26, 2023
This appears to be a bug unmasked by other changes. read_sample() calls sample_offset() then sample_size(), and assumes that if the former returns Ok then the latter does as well. However, if the sample_id is one past the end, sample_offset() might succeed (it only checks samples _up to_ the given sample_id but not _including_ it) while sample_size() fails (because the sample doesn't exist). read_sample() will then panic. Fix this by duplicating the error propagation (that is currently done for sample_offset) for sample_size, instead of unwrapping. This is a cautious change that fixes the bug; alternatively, having sample_offset() call sample_size() on the given sample_id and propagate any error might also work.
oftheforest
force-pushed
the
checked-arithmetic
branch
from
930c9ee to
57173ce
Compare
Together with the entry_count checks, this eliminates several OOMs when reading incorrect mp4 files.
jessa0
requested changes
Feb 8, 2023
| @@ -103,6 +103,11 @@ impl<R: Read + Seek> ReadBox<&mut R> for Avc1Box { | |||
|
|
|||
| let header = BoxHeader::read(reader)?; | |||
| let BoxHeader { name, size: s } = header; | |||
| if s > size { | |||
There was a problem hiding this comment.
I suppose we could be more precise here (and below), with:
if s > size.saturating_sub(reader.stream_position() - start) {Do you think it's worth it to do so? Maybe not, since I think these checks are mostly to prevent crashes due to large allocations, right? In that case, maybe add comments explaining why the checks are imprecise.
This also makes me realize that pretty much every read_box should be doing:
let mut reader = reader.take(size - HEADER_SIZE);so that they don't read past the end of the box. But I can file a bug (#4) for that to do in a separate PR (since this one is getting large).
There was a problem hiding this comment.
I seem to remember that this/something else already effectively prevented that sort of box overrun? I'll take another look, though; if that's not the case, I'll open another PR for #4.
This was due to an incorrect transcription when switching to checked arithmetic, and fixes a bug that could cause attempted lookups of the wrong chunk_id.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.