[FFmpeg-devel] [PATCH 2/3] avcodec/lagarith: Optimize case with singleton probability distribution

Paul B Mahol onemda at gmail.com
Tue Dec 25 17:45:00 EET 2018 

On 12/25/18, Paul B Mahol <onemda at gmail.com> wrote:
> On 12/25/18, Michael Niedermayer <michael at niedermayer.cc> wrote:
>> On Mon, Dec 24, 2018 at 11:54:31PM +0000, Kieran Kunhya wrote:
>>> >
>>> > commit 0ca7a8deeffd33e05ae15a447259b32b6678c727 (HEAD -> master)
>>> > Author: Michael Niedermayer <michael at niedermayer.cc>
>>> > Date:   Mon Dec 24 01:14:50 2018 +0100
>>> >
>>> >     avcodec/lagarith: Optimize case with singleton probability
>>> > distribution
>>> >
>>> >     Fixes: Timeout
>>> >     Fixes:
>>> > 10554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5739938067251200
>>> >
>>> >     In case of a Denial of Service attack, the attacker wants to
>>> > maximize
>>> > the load on the target
>>> >     per byte transmitted from the attacker.
>>> >     For such a DoS attack it is best for the attacker to setup the
>>> > probabilities so that the
>>> >     arithmetic decoder does not advance in the bytestream that way the
>>> > attacker only needs to
>>> >     transmit the initial bytes and header for an arbitrary large
>>> > frame.
>>> >     This patch here optimizes this codepath and avoids executing the
>>> > arithmetic decoder more than
>>> >     once. It thus reduces the load causes by this codepath on the
>>> > target.
>>> >     We also could completely disallow this codepath but it appears
>>> > such
>>> > odd probability
>>> >     distributions are not invalid.
>>> >
>>> >     Found-by: continuous fuzzing process
>>> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> >     Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> >
>>>
>>> This is a nonsense argument, a user could send a frame that was
>>> 99999999x99999999 in dimensions, would have the same effect.
>>
>> This suggested attack would not work, a user wanting to minimize these
>> DoS issues would have set AVCodecContext.max_pixels which would block
>> this.
>>
>>
>>> The calling application should manage timeouts themselves in a sandbox
>>> or
>>> container or similar.
>>
>> Its always possible and also a very good idea to have a 2nd line of
>> defense
>> like a sandbox / VM, ... as you suggest here, I did and do agree here.
>> And also a 3rd line of defense, ...
>>
>> But this doesnt mean we should not attempt to fix or mitigate
>> security (or other) issues directly in the code.
>>
>> I think the point you are raising has been raised previously, so let me
>> argue a little broader here and not specific to just what you suggest.
>>
>> If you compare a native fix in the code with a fix by a timeout, a
>> fix by a timeout causes:
>> * The whole process to be killed, so any application using libavcodec
>>   would basically "crash" and would not neccessarily save its state,
>>   flush out buffers, write any trailers or do proper protocol shutdowns
>>   or save any unsafed data. This is a outcome that should be minimized
>> * Using a timeout as the main way to block DoS is difficult as there is
>>   often no good timeout value. Its not unexpected that a system may need
>> to
>>   support processing large videos taking several hours, thats a long
>>   time for a file of a hundread bytes in a DoS attack
>>   100bytes from an attacker could cause the same load as 1000000000 bytes
>> from
>>   a user.
>> * Worst maybe is that a tight timeout likely makes the system more
>> vulnerable
>>   not less. because during an attack all the processes would likely slow
>>   down and real users would be pushed into the timeout even if the system
>>   without the user processes timeouting would still function correctly
>>
>> Iam sure there are more arguments but above are the ones that came to my
>> mind
>> ATM.
>>
>>>
>>> Merry Xmas.
>>
>> Merry Xmas as well!
>>
>> [...]
>> --
>> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>>
>> Those who would give up essential Liberty, to purchase a little
>> temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
>>
>
> This is still missing numbers/statistics.
>

And comments explaining added code.

More information about the ffmpeg-devel mailing list