[FFmpeg-devel] Overflow check for frame_size in v4l.c

Stefano Sabatini stefano.sabatini-lala
Sat Dec 27 18:01:37 CET 2008 

On date Saturday 2008-12-27 17:16:05 +0100, Michael Niedermayer encoded:
> On Sat, Dec 27, 2008 at 03:12:59PM +0100, Stefano Sabatini wrote:
> > On date Saturday 2008-12-27 14:36:37 +0100, Michael Niedermayer encoded:
[...]
> > > > > I think the check is insufficient and more not less checking is needed
> > > > > 
> > > > >  frame_size = s->video_win.width * s->video_win.height * video_formats[j].depth / 8;
> > > > > 
> > > > > will not work with 32767*32767*...
> > > > 
> > > > OK, 32767 = 2^15 -1.
> > > > 
> > > > We may then check for 16383 = 2^14 -1 (check the patch below), or
> > > > maybe some function like these ones may help:
> > > 
> > > avcodec_check_dimensions()
> > 
> > I don't think it is a good idea to use that function here, its domain
> 
> its exactly what the function is designed to check.

/**
 * Checks if the given dimension of a picture is valid, meaning that all
 * bytes of the picture can be addressed with a signed int.
 *
 * @param[in] w Width of the picture.
 * @param[in] h Height of the picture.
 * @return Zero if valid, a negative value if invalid.
 */
int avcodec_check_dimensions(void *av_log_ctx, unsigned int w, unsigned int h);

The definition is promising, yet I'm missing the part which deals with
the pixel depth.

Then reading the code my confusion increased, as I can't figure out
the meaning of the code (what I -- naively -- expected was something like:
w * h < (INT_MAX -1 ) / MAX_DEPTH) (I guess those 128s are for
alignment reasons?):

int avcodec_check_dimensions(void *av_log_ctx, unsigned int w, unsigned int h){
    if((int)w>0 && (int)h>0 && (w+128)*(uint64_t)(h+128) < INT_MAX/4)
        return 0;

    av_log(av_log_ctx, AV_LOG_ERROR, "picture size invalid (%ux%u)\n", w, h);
    return -1;
}

And I agree, if this function may be used here then it's the way to
go.

> > is very specific and here we have to check the result of a
> > multiplication with *three* operands.
> > 
> > I propose three possible choices:
> > 
> 
> > 1) Implement a stricter check.
> > 
> >    Since we have
> >    frame_size =  s->video_win.width * s->video_win.height * video_formats[j].depth / 8;
> > 
> >    and video_formats[j].depth / 8 is at maximum 3, then we have:
> > 
> >    X * X * 3 < 2 ^ 31 -1;
> > 
> >    that is:
> >    X * X < (2^31 - 1) / 3
> > 
> >    max_X = tail (sqrt ((2^31 - 1) / 3)) = 26754
> > 
> >    so we could check for width/heigth <= 26754
> > 
> >    Or if we want to be more prudent, we can replace 3 with 8, then we have
> >    max_X = 16383.
> > 
> 
> this would reject cases that could never cause a problem, though iam not
> against it, its better than what we have currently.

Since 4 seems a good candidate as the max pixel depth in bytes, I think
that some comment and the value 23170 would be a good tradeoff.
 
> > 2) Introduce some generic function in libavutil such as av_safe_mul32()
> >    as proposed in the previous post and use it.
> 
> if you want to check for an overflow, check for it:
> 
> if(a*(uint64_t)b > INT_MAX)
>     error
> something(a*b);
> 
> 
> using this silly av_safe_mul32() will only make the code more messy:
> 
> int32_t tmp;
> if(av_safe_mul32(&tmp, a, b) < 0)
>     error;
> something(tmp);

Yes, though for more than two operands it still could be useful.

> > 
> > 3) Leave the check as it is, if we're lucky no one will ever have any
> >    problem with the non-strict-enough check, since valid values for
> >    height and width are unlikely to generate an overflow.
> 
> I would prefer if we dont deal with security holes that way.

I agree.

Regards.
-- 
FFmpeg = Fast Fierce Magical Powerful Everlasting Guru

More information about the ffmpeg-devel mailing list