[FFmpeg-devel] qt-faststart bug near 4GB
Michael Niedermayer
michael at niedermayer.cc
Wed Jun 13 22:57:14 EEST 2018
On Wed, Jun 13, 2018 at 08:54:20AM +0000, Eran Kornblau wrote:
> >
> > -----Original Message-----
> > From: ffmpeg-devel [mailto:ffmpeg-devel-bounces at ffmpeg.org] On Behalf Of Michael Niedermayer
> > Sent: Wednesday, June 13, 2018 1:41 AM
> > To: FFmpeg development discussions and patches <ffmpeg-devel at ffmpeg.org>
> > Subject: Re: [FFmpeg-devel] qt-faststart bug near 4GB
> >
> >
> > this is not mandatory but trying with some basic fuzzer seems like a good idea look at the examples in the manpage of zzuf for example, its very easy to use
> >
> Ok, zzuf is indeed easy to use :)
>
> One issue that it surfaced is the lack of validation on ftyp atom size
> (unrelated to this patch) -
> At some iteration it changed the ftyp size to a large number, faststart
> managed to allocate it, but zzuf did not. I don't think this is a real
> issue (if the code did malloc(size+1), read(size) then it could have been...)
>
> Anyway, I used the attached patch to work around it. I didn't find any
> official limit to the size of this atom, so I randomly chose 1MB, which is
> several orders of magnitude larger than any ftyp I've seen...
>
> Btw, the exact same issue exists for moov, I can submit a patch for that too,
> although there it will be harder to find a good limit. We're using 256MB
> as the limit for moov size in our JIT packager.
>
> These are the commands that I used for the test -
>
> # ffmpeg -f lavfi -i anullsrc=sample_rate=48000 -t 0.1 faststart-zzuf.mp4
>
> # zzuf -s 0:1000000 tools/qt-faststart faststart-zzuf.mp4 faststart-output.mp4 > zzuf-output.txt 2> zzuf-error.txt
>
> # sort -u zzuf-error.txt
> faststart-zzuf.mp4: Invalid argument
> faststart-zzuf.mp4: Success
>
> # sort -u zzuf-output.txt | awk 'NF<1 || $(NF-1) !~ /[0-9]+/ || $NF !~ /[0-9]+/' | grep -av 'too big$' | grep -av 'too small$'
> copying rest of file...
> encountered non-QT top-level atom (is this a QuickTime file?)
> last atom in file was not a moov atom
> not enough room for 64 bit atom size
> patching stco atom...
> writing ftyp atom...
> writing moov atom...
>
> Thanks!
>
> Eran
>
> > [...]
> >
> > --
> > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> >
> > The greatest way to live with honor in this world is to be what we pretend to be. -- Socrates
> >
> qt-faststart.c | 6 ++++++
> 1 file changed, 6 insertions(+)
> aabd7a494cc34222fb91f195118308e6983e5577 0001-qt-faststart-add-validation-on-ftyp-atom-size.patch
> From 36ea3c1bf7afe91da310ee7a5b28e3e2d3f2d04c Mon Sep 17 00:00:00 2001
> From: erankor <eran.kornblau at kaltura.com>
> Date: Wed, 13 Jun 2018 11:48:20 +0300
> Subject: [PATCH] qt-faststart: add validation on ftyp atom size
>
> avoid trying to allocate an unreasonably sized buffer on corrupt files
> ---
> tools/qt-faststart.c | 6 ++++++
> 1 file changed, 6 insertions(+)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
"Nothing to hide" only works if the folks in power share the values of
you and everyone you know entirely and always will -- Tom Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180613/5e71616f/attachment.sig>
More information about the ffmpeg-devel
mailing list