Message ID | fc2d9da2-f796-38a7-252e-7f02df8b9ce2@googlemail.com |
---|---|
State | Accepted |
Commit | 14e4e26559697cfdea584767be4e68474a0a9c7f |
Headers | show |
On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: > This fixes out-of-bounds reads. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavcodec/interplayacm.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c > index 0fd3501..0486e00 100644 > --- a/libavcodec/interplayacm.c > +++ b/libavcodec/interplayacm.c > @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, > unsigned col) > for (i = 0; i < s->rows; i++) { > /* b = (x1) + (x2 * 3) + (x3 * 9) */ > b = get_bits(gb, 5); > + if (b > 26) { > + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); > + return AVERROR_INVALIDDATA; > + } > > n1 = (mul_3x3[b] & 0x0F) - 1; > n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; > @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, > unsigned col) > for (i = 0; i < s->rows; i++) { > /* b = (x1) + (x2 * 5) + (x3 * 25) */ > b = get_bits(gb, 7); > + if (b > 124) { > + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); > + return AVERROR_INVALIDDATA; > + } > > n1 = (mul_3x5[b] & 0x0F) - 2; > n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; > @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, > unsigned col) > for (i = 0; i < s->rows; i++) { > /* b = (x1) + (x2 * 11) */ > b = get_bits(gb, 7); > + if (b > 120) { > + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); > + return AVERROR_INVALIDDATA; > + } > > n1 = (mul_2x11[b] & 0x0F) - 5; > n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5; > -- > 2.10.1 > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > probably ok.
On 30.10.2016 22:16, Paul B Mahol wrote: > On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: >> This fixes out-of-bounds reads. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/interplayacm.c | 12 ++++++++++++ >> 1 file changed, 12 insertions(+) >> >> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c >> index 0fd3501..0486e00 100644 >> --- a/libavcodec/interplayacm.c >> +++ b/libavcodec/interplayacm.c >> @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, >> unsigned col) >> for (i = 0; i < s->rows; i++) { >> /* b = (x1) + (x2 * 3) + (x3 * 9) */ >> b = get_bits(gb, 5); >> + if (b > 26) { >> + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); >> + return AVERROR_INVALIDDATA; >> + } >> >> n1 = (mul_3x3[b] & 0x0F) - 1; >> n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; >> @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, >> unsigned col) >> for (i = 0; i < s->rows; i++) { >> /* b = (x1) + (x2 * 5) + (x3 * 25) */ >> b = get_bits(gb, 7); >> + if (b > 124) { >> + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); >> + return AVERROR_INVALIDDATA; >> + } >> >> n1 = (mul_3x5[b] & 0x0F) - 2; >> n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; >> @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, >> unsigned col) >> for (i = 0; i < s->rows; i++) { >> /* b = (x1) + (x2 * 11) */ >> b = get_bits(gb, 7); >> + if (b > 120) { >> + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); >> + return AVERROR_INVALIDDATA; >> + } >> >> n1 = (mul_2x11[b] & 0x0F) - 5; >> n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5; >> -- >> 2.10.1 >> _______________________________________________ >> ffmpeg-devel mailing list >> ffmpeg-devel@ffmpeg.org >> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> > > probably ok. Pushed. Best regards, Andreas
diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 0fd3501..0486e00 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 3) + (x3 * 9) */ b = get_bits(gb, 5); + if (b > 26) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x3[b] & 0x0F) - 1; n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 5) + (x3 * 25) */ b = get_bits(gb, 7); + if (b > 124) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x5[b] & 0x0F) - 2; n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 11) */ b = get_bits(gb, 7); + if (b > 120) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_2x11[b] & 0x0F) - 5; n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;
This fixes out-of-bounds reads. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/interplayacm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)