[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

[Paul B Mahol]

On Tue, Dec 22, 2020 at 10:27 PM Michael Niedermayer <michael at niedermayer.cc>
wrote:

> On Sun, Dec 20, 2020 at 10:18:40PM +0100, Paul B Mahol wrote:
> > Unacceptable, please share privately sample that allows to reproduce
> this.
>
> shared the ones which reproduce.
>
> Please explain why this patch is unacceptable to you.
>
> the CFHD decoder decodes header elements in the order in which they are
> stored. The problem is that many have interdependancies yet there are
> no checks for these. And where there are checks theres no protection
> against changing dependancies after they have been used.
> Basically CFHD allows an attacker to do absolutely anything
>
> To pick a random example:
> the code reading the SubbandNumber adjusts the level and then
> checks its range based on transform_type. Yet transform_type
> may be not set yet or may be subsequently changed.
> That is issue 27872
>
> One surely can try to add specific checks for all this but i doubt that
> will
> result in secure code anytime soon. Its IMO better to fundamentally
> fix this and not allow anything to occur in any multiplicity and order.
> My posted patch is one way of many possible alternatives to move in that
> direction
>
>
Well, you forgot that when you check for order of tags, you basically still
allow
crash to happen, just this time crashing code path needs to follow correct
parsing order.


> Thanks
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> There will always be a question for which you do not know the correct
> answer.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".