[FFmpeg-devel] [PATCH] avformat/data_uri: Fix base64 decode buffer size calculation

[Michael Niedermayer]

On Thu, May 09, 2024 at 04:02:09PM +0200, Kacper Michajłow wrote:
> Also reject input if it is too short.
> 
> Found by OSS-Fuzz.
> 
> Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
> ---
>  libavformat/data_uri.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/data_uri.c b/libavformat/data_uri.c
> index 3868a19630..f97ecbab37 100644
> --- a/libavformat/data_uri.c
> +++ b/libavformat/data_uri.c
> @@ -73,11 +73,11 @@ static av_cold int data_open(URLContext *h, const char *uri, int flags)
>      data++;
>      in_size = strlen(data);
>      if (base64) {
> -        size_t out_size = 3 * (in_size / 4) + 1;
> +        size_t out_size = AV_BASE64_DECODE_SIZE(in_size);

i suspect this is correct


>  
>          if (out_size > INT_MAX || !(ddata = av_malloc(out_size)))
>              return AVERROR(ENOMEM);

> -        if ((ret = av_base64_decode(ddata, data, out_size)) < 0) {
> +        if (!out_size || (ret = av_base64_decode(ddata, data, out_size)) < 0) {
>              av_free(ddata);
>              av_log(h, AV_LOG_ERROR, "Invalid base64 in URI\n");
>              return ret;

why would this need a out_size == 0 check ?

also it seems av_base64_decode() itself is buggy, ive sent 2 patches
fixing av_base64_decode() and extening the self tests

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240511/af0429de/attachment.sig>