[FFmpeg-devel] interplayacm: check for too large b

Message ID	fc2d9da2-f796-38a7-252e-7f02df8b9ce2@googlemail.com
State	Accepted
Commit	14e4e26559697cfdea584767be4e68474a0a9c7f
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Message-ID: <fc2d9da2-f796-38a7-252e-7f02df8b9ce2@googlemail.com> Date: Sun, 30 Oct 2016 20:50:27 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] interplayacm: check for too large b Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

fc2d9da2-f796-38a7-252e-7f02df8b9ce2@googlemail.com

State

Accepted

Commit

14e4e26559697cfdea584767be4e68474a0a9c7f

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <fc2d9da2-f796-38a7-252e-7f02df8b9ce2@googlemail.com>
Date: Sun, 30 Oct 2016 20:50:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] interplayacm: check for too large b
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Comments

Paul B Mahol Oct. 30, 2016, 9:16 p.m. UTC | #1

On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote:
> This fixes out-of-bounds reads.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> ---
>  libavcodec/interplayacm.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
>
> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
> index 0fd3501..0486e00 100644
> --- a/libavcodec/interplayacm.c
> +++ b/libavcodec/interplayacm.c
> @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind,
> unsigned col)
>      for (i = 0; i < s->rows; i++) {
>          /* b = (x1) + (x2 * 3) + (x3 * 9) */
>          b = get_bits(gb, 5);
> +        if (b > 26) {
> +            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
> +            return AVERROR_INVALIDDATA;
> +        }
>
>          n1 =  (mul_3x3[b] & 0x0F) - 1;
>          n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
> @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind,
> unsigned col)
>      for (i = 0; i < s->rows; i++) {
>          /* b = (x1) + (x2 * 5) + (x3 * 25) */
>          b = get_bits(gb, 7);
> +        if (b > 124) {
> +            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
> +            return AVERROR_INVALIDDATA;
> +        }
>
>          n1 =  (mul_3x5[b] & 0x0F) - 2;
>          n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
> @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind,
> unsigned col)
>      for (i = 0; i < s->rows; i++) {
>          /* b = (x1) + (x2 * 11) */
>          b = get_bits(gb, 7);
> +        if (b > 120) {
> +            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
> +            return AVERROR_INVALIDDATA;
> +        }
>
>          n1 =  (mul_2x11[b] & 0x0F) - 5;
>          n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;
> --
> 2.10.1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

probably ok.

Andreas Cadhalpun Oct. 30, 2016, 9:40 p.m. UTC | #2

On 30.10.2016 22:16, Paul B Mahol wrote:
> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote:
>> This fixes out-of-bounds reads.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> ---
>>  libavcodec/interplayacm.c | 12 ++++++++++++
>>  1 file changed, 12 insertions(+)
>>
>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
>> index 0fd3501..0486e00 100644
>> --- a/libavcodec/interplayacm.c
>> +++ b/libavcodec/interplayacm.c
>> @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind,
>> unsigned col)
>>      for (i = 0; i < s->rows; i++) {
>>          /* b = (x1) + (x2 * 3) + (x3 * 9) */
>>          b = get_bits(gb, 5);
>> +        if (b > 26) {
>> +            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
>> +            return AVERROR_INVALIDDATA;
>> +        }
>>
>>          n1 =  (mul_3x3[b] & 0x0F) - 1;
>>          n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
>> @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind,
>> unsigned col)
>>      for (i = 0; i < s->rows; i++) {
>>          /* b = (x1) + (x2 * 5) + (x3 * 25) */
>>          b = get_bits(gb, 7);
>> +        if (b > 124) {
>> +            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
>> +            return AVERROR_INVALIDDATA;
>> +        }
>>
>>          n1 =  (mul_3x5[b] & 0x0F) - 2;
>>          n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
>> @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind,
>> unsigned col)
>>      for (i = 0; i < s->rows; i++) {
>>          /* b = (x1) + (x2 * 11) */
>>          b = get_bits(gb, 7);
>> +        if (b > 120) {
>> +            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
>> +            return AVERROR_INVALIDDATA;
>> +        }
>>
>>          n1 =  (mul_2x11[b] & 0x0F) - 5;
>>          n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;
>> --
>> 2.10.1
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
> 
> probably ok.

Pushed.

Best regards,
Andreas

diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
index 0fd3501..0486e00 100644
--- a/libavcodec/interplayacm.c
+++ b/libavcodec/interplayacm.c
@@ -326,6 +326,10 @@  static int t15(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 3) + (x3 * 9) */
         b = get_bits(gb, 5);
+        if (b > 26) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x3[b] & 0x0F) - 1;
         n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
@@ -351,6 +355,10 @@  static int t27(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 5) + (x3 * 25) */
         b = get_bits(gb, 7);
+        if (b > 124) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x5[b] & 0x0F) - 2;
         n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
@@ -375,6 +383,10 @@  static int t37(InterplayACMContext *s, unsigned ind, unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 11) */
         b = get_bits(gb, 7);
+        if (b > 120) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_2x11[b] & 0x0F) - 5;
         n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;

[FFmpeg-devel] interplayacm: check for too large b

Commit Message

Comments

Patch