Skip to content

fix: Harden JUMB embed media description box parser against integer underflow attack#1950

Open
ssanthosh wants to merge 2 commits intomainfrom
ssanthosh/vulnerability_fixes_integer_underflow_EmbedMediaDesc_parser
Open

fix: Harden JUMB embed media description box parser against integer underflow attack#1950
ssanthosh wants to merge 2 commits intomainfrom
ssanthosh/vulnerability_fixes_integer_underflow_EmbedMediaDesc_parser

Conversation

@ssanthosh
Copy link

@ssanthosh ssanthosh commented Mar 18, 2026

Changes in this pull request

Security Fix: Index Out-of-Bounds issue in read_embedded_media_desc_box on parsing JUMBF EmbedMediaDesc Box

Issue

BoxReader::read_embedded_media_desc_box (sdk/src/jumbf/boxes.rs) crashes when parsing a crafted bfdb box with size=9 (8-byte BMFF header + 1-byte toggles, no media type data).

data_len = size - HEADER_SIZE - TOGGLE_SIZE = 9 - 8 - 1 = 0 causes read_to_vec(0) to return an empty buffer. The _ match arm then evaluates buf[buf.len() - 1] where buf.len() = 0, causing a usize underflow and an index-out-of-bounds panic in both debug and release builds.

Fix

  1. Minimum size guard — rejects any bfdb box with size < 9 (HEADER_SIZE + TOGGLE_SIZE) before any reads, preventing u64 underflow in the data_len computation for boxes smaller than a toggles-only payload.

  2. Safe last-byte access — replaced buf[buf.len() - 1] with buf.last(), which returns None for an empty slice and safely handles the size=9 empty media type case.

Test

embedded_media_desc_box_handles_empty_media_type_and_rejects_undersized:

size Expected Why
9 Ok Valid empty media type — writer produces this; crash fixed by buf.last()
8 Err No toggles byte — data_len underflows without minimum size guard
0 Err BMFF "extends to EOF" sentinel; invalid for a bounded inner box

Checklist

  • This PR represents a single feature, fix, or change.
  • All applicable changes have been documented.
  • Any TO DO items (or similar) have been entered as GitHub issues and the link to that issue has been included in a comment.

@ssanthosh ssanthosh self-assigned this Mar 18, 2026
@ssanthosh ssanthosh added bug Something isn't working safe to test labels Mar 18, 2026
@codspeed-hq
Copy link

codspeed-hq bot commented Mar 18, 2026
edited
Loading

Merging this PR will not alter performance

✅ 32 untouched benchmarks
⏩ 2 skipped benchmarks1

Comparing ssanthosh/vulnerability_fixes_integer_underflow_EmbedMediaDesc_parser (b63d69f) with main (3367b25)

Open in CodSpeed

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@ssanthosh ssanthosh requested a review from gpeacock March 23, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mauricefisher64 mauricefisher64 Awaiting requested review from mauricefisher64

@mpgopala mpgopala Awaiting requested review from mpgopala

@tmathern tmathern Awaiting requested review from tmathern

@gpeacock gpeacock Awaiting requested review from gpeacock

At least 1 approving review is required to merge this pull request.

Assignees

@ssanthosh ssanthosh

Labels

bug Something isn't working safe to test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ssanthosh