Fix several overflows in box and track processing #94
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This appears to be a bug unmasked by other changes. read_sample() calls sample_offset() then sample_size(), and assumes that if the former returns Ok then the latter does as well. However, if the sample_id is one past the end, sample_offset() might succeed (it only checks samples _up to_ the given sample_id but not _including_ it) while sample_size() fails (because the sample doesn't exist). read_sample() will then panic. Fix this by duplicating the error propagation (that is currently done for sample_offset) for sample_size, instead of unwrapping. This is a cautious change that fixes the bug; alternatively, having sample_offset() call sample_size() on the given sample_id and propagate any error might also work.
|
Hi @oftheforest. Thanks for the PR. Can you provide a description of the changes you are making here? Thank you. |
Together with the entry_count checks, this eliminates several OOMs when reading incorrect mp4 files.
|
Hi @oftheforest, Thanks for the PR. Running through some of my local test vectors on the examples and seeing a few issues:
It seems to only affect an MP4 with a single track. I provided both an audio and video only mp4 below. Latest tears-of-steel-2s-audio.mp4tears-of-steel-video.mp4 |
This was due to an incorrect transcription when switching to checked arithmetic, and fixes a bug that could cause attempted lookups of the wrong chunk_id.
|
Thanks for the fix. I will test again soon. |
|
Thank you, @oftheforest! |
jprochazk
pushed a commit
to jprochazk/mp4
that referenced
this pull request
Sep 18, 2024
* Fix several overflows in box and track processing * Use size_of::<Type>() instead of magic numbers * Fix a panic in Mp4Track::read_sample() for one-past-the-end This appears to be a bug unmasked by other changes. read_sample() calls sample_offset() then sample_size(), and assumes that if the former returns Ok then the latter does as well. However, if the sample_id is one past the end, sample_offset() might succeed (it only checks samples _up to_ the given sample_id but not _including_ it) while sample_size() fails (because the sample doesn't exist). read_sample() will then panic. Fix this by duplicating the error propagation (that is currently done for sample_offset) for sample_size, instead of unwrapping. This is a cautious change that fixes the bug; alternatively, having sample_offset() call sample_size() on the given sample_id and propagate any error might also work. * Account for header size in box processing overflow fixes * Ensure that boxes aren't bigger than their containers Together with the entry_count checks, this eliminates several OOMs when reading incorrect mp4 files. * Fix order of arithmetic operations This was due to an incorrect transcription when switching to checked arithmetic, and fixes a bug that could cause attempted lookups of the wrong chunk_id.
CandleCandle
pushed a commit
to CandleCandle/mp4-rust
that referenced
this pull request
May 7, 2025
* Fix several overflows in box and track processing * Use size_of::<Type>() instead of magic numbers * Fix a panic in Mp4Track::read_sample() for one-past-the-end This appears to be a bug unmasked by other changes. read_sample() calls sample_offset() then sample_size(), and assumes that if the former returns Ok then the latter does as well. However, if the sample_id is one past the end, sample_offset() might succeed (it only checks samples _up to_ the given sample_id but not _including_ it) while sample_size() fails (because the sample doesn't exist). read_sample() will then panic. Fix this by duplicating the error propagation (that is currently done for sample_offset) for sample_size, instead of unwrapping. This is a cautious change that fixes the bug; alternatively, having sample_offset() call sample_size() on the given sample_id and propagate any error might also work. * Account for header size in box processing overflow fixes * Ensure that boxes aren't bigger than their containers Together with the entry_count checks, this eliminates several OOMs when reading incorrect mp4 files. * Fix order of arithmetic operations This was due to an incorrect transcription when switching to checked arithmetic, and fixes a bug that could cause attempted lookups of the wrong chunk_id.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add checked arithmetic in several places where the code:
(da83d3c isn't an overflow per se, but I think it's in the same spirit.)