[FFmpeg-devel] [FFmpeg-cvslog] avcodec/tiff: do not abort decoding if strips are available

Paul B Mahol onemda at gmail.com
Mon Nov 2 16:32:09 EET 2020


On Mon, Nov 2, 2020 at 3:28 PM Paul B Mahol <onemda at gmail.com> wrote:

>
>
> On Mon, Nov 2, 2020 at 3:06 PM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
>
>> On Mon, Nov 02, 2020 at 11:44:00AM +0100, Paul B Mahol wrote:
>> > On Mon, Nov 2, 2020 at 11:21 AM Michael Niedermayer
>> <michael at niedermayer.cc>
>> > wrote:
>> >
>> > > On Wed, Oct 07, 2020 at 08:19:12PM +0000, Paul B Mahol wrote:
>> > > > ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Fri
>> Oct  2
>> > > 12:16:49 2020 +0200| [da5b3d002862d1e105002a6dc1567e6551860896] |
>> > > committer: Paul B Mahol
>> > > >
>> > > > avcodec/tiff: do not abort decoding if strips are available
>> > > >
>> > > > Even if such files are invalid, they can be decoded just fine.
>> > >
>> > > Please provide such files so it can be implemented correctly
>> > > this commit causes security issues
>> > > Without such invalid-tile+stripe-jpegs which we can decode
>> > > its plausible that a fix to the security issue will break that
>> > > class of files again
>> > >
>> > >
>> > FIles are freely available on internet, use your search skills to find
>> it.
>>
>> As you know of a specific file and I do not, you should provide a link.
>> Or add a fate test ...
>> Its trivial for you, while searching the internet for a specific broken
>> tiff
>> file is not a trivial task. None of the files i have tested are affected
>> by
>> this
>>
>
> Try harder. If you search user mailing list you would find links to such
> images.
> My upload speed is miserable. and files are big, 24 MB even for fate.
>
>
>>
>> You do not have to of course, but then what else do you imagine should
>> happen?
>> Do you want this to be reverted ?
>> Do you want a open security issue ?
>> Do you want other developers spend their time searching for a link you
>> have
>> but dont tell ?
>>
>> Iam sure you realize none of these options really makes sense
>>
>> Really. It makes sense to break working files with untested "security
> fixes".
>

One such file is still here:

http://www.astro-electronic.de/IMG_3459.dng

If you need another different one, I will try to provide a link.


>
>
>> thx
>>
>> PS: a fate test with that invalid tiff file also would be a good argument
>>     for you against a revert
>>
>> [...]
>> --
>> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>>
>> Rewriting code that is poorly written but fully understood is good.
>> Rewriting code that one doesnt understand is a sign that one is less smart
>> then the original author, trying to rewrite it will not make it better.
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
>


More information about the ffmpeg-devel mailing list