[FFmpeg-devel] [FFmpeg-cvslog] avcodec/tiff: do not abort decoding if strips are available
Michael Niedermayer
michael at niedermayer.cc
Mon Nov 2 23:48:52 EET 2020
On Mon, Nov 02, 2020 at 03:32:09PM +0100, Paul B Mahol wrote:
> On Mon, Nov 2, 2020 at 3:28 PM Paul B Mahol <onemda at gmail.com> wrote:
>
> >
> >
> > On Mon, Nov 2, 2020 at 3:06 PM Michael Niedermayer <michael at niedermayer.cc>
> > wrote:
> >
> >> On Mon, Nov 02, 2020 at 11:44:00AM +0100, Paul B Mahol wrote:
> >> > On Mon, Nov 2, 2020 at 11:21 AM Michael Niedermayer
> >> <michael at niedermayer.cc>
> >> > wrote:
> >> >
> >> > > On Wed, Oct 07, 2020 at 08:19:12PM +0000, Paul B Mahol wrote:
> >> > > > ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Fri
> >> Oct 2
> >> > > 12:16:49 2020 +0200| [da5b3d002862d1e105002a6dc1567e6551860896] |
> >> > > committer: Paul B Mahol
> >> > > >
> >> > > > avcodec/tiff: do not abort decoding if strips are available
> >> > > >
> >> > > > Even if such files are invalid, they can be decoded just fine.
> >> > >
> >> > > Please provide such files so it can be implemented correctly
> >> > > this commit causes security issues
> >> > > Without such invalid-tile+stripe-jpegs which we can decode
> >> > > its plausible that a fix to the security issue will break that
> >> > > class of files again
> >> > >
> >> > >
> >> > FIles are freely available on internet, use your search skills to find
> >> it.
> >>
> >> As you know of a specific file and I do not, you should provide a link.
> >> Or add a fate test ...
> >> Its trivial for you, while searching the internet for a specific broken
> >> tiff
> >> file is not a trivial task. None of the files i have tested are affected
> >> by
> >> this
> >>
> >
> > Try harder. If you search user mailing list you would find links to such
> > images.
> > My upload speed is miserable. and files are big, 24 MB even for fate.
> >
> >
> >>
> >> You do not have to of course, but then what else do you imagine should
> >> happen?
> >> Do you want this to be reverted ?
> >> Do you want a open security issue ?
> >> Do you want other developers spend their time searching for a link you
> >> have
> >> but dont tell ?
> >>
> >> Iam sure you realize none of these options really makes sense
> >>
> >> Really. It makes sense to break working files with untested "security
> > fixes".
> >
>
> One such file is still here:
>
> http://www.astro-electronic.de/IMG_3459.dng
Thanks!
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20201102/d3f1e653/attachment.sig>
More information about the ffmpeg-devel
mailing list