diff mbox series

[FFmpeg-devel] avcodec/mlpdec: filter invalid block size

Message ID	1578542029-29651-1-git-send-email-showvin@qq.com
State	New
Headers	From: "Xingwen.Fang" <showvin@qq.com> To: ffmpeg-devel@ffmpeg.org Date: Thu, 9 Jan 2020 11:53:49 +0800 Message-Id: <1578542029-29651-1-git-send-email-showvin@qq.com> Subject: [FFmpeg-devel] [PATCH] avcodec/mlpdec: filter invalid block size Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Cc: fxw@rock-chips.com MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel] avcodec/mlpdec: filter invalid block size \| [FFmpeg-devel] avcodec/mlpdec: filter invalid block size

Checks

Context	Check	Description
andriy/ffmpeg-patchwork	success	Make fate finished

Commit Message

Xingwen.Fang Jan. 9, 2020, 3:53 a.m. UTC

From: Xingwen Fang <fxw@rock-chips.com>

When the block size is illegal, we don't need to read the
block data. Otherwise, there will be abnormal memory access
in dsp.mlp_filter_channel.

Signed-off-by: Xingwen Fang <fxw@rock-chips.com>
---
 libavcodec/mlpdec.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Carl Eugen Hoyos Jan. 21, 2020, 1:22 a.m. UTC | #1

Am Do., 9. Jan. 2020 um 04:54 Uhr schrieb Xingwen.Fang <showvin@qq.com>:
>
> From: Xingwen Fang <fxw@rock-chips.com>
>
> When the block size is illegal, we don't need to read the
> block data. Otherwise, there will be abnormal memory access
> in dsp.mlp_filter_channel.
>
> Signed-off-by: Xingwen Fang <fxw@rock-chips.com>
> ---
>  libavcodec/mlpdec.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
> index 39c4091..198d3c0 100644
> --- a/libavcodec/mlpdec.c
> +++ b/libavcodec/mlpdec.c
> @@ -1263,6 +1263,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data,
>              if (!s->restart_seen)
>                  goto next_substr;
>
> +            if (s->blocksize < 8) {
> +                av_log(m->avctx, AV_LOG_ERROR, "Block size is too small.\n");
> +                goto next_substr;
> +            }

Can you provide a sample file that shows the invalid memory access?

Carl Eugen

diff mbox series

Patch

diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 39c4091..198d3c0 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -1263,6 +1263,11 @@  static int read_access_unit(AVCodecContext *avctx, void* data,
             if (!s->restart_seen)
                 goto next_substr;
 
+            if (s->blocksize < 8) {
+                av_log(m->avctx, AV_LOG_ERROR, "Block size is too small.\n");
+                goto next_substr;
+            }
+
             if ((ret = read_block_data(m, &gb, substr)) < 0)
                 return ret;