diff mbox series

[FFmpeg-devel,v3,1/1] avcodec/wmalosslessdec: Return value check for init_get_bits

Message ID PAXP193MB1262202F722B4018ED762191B6C99@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM
State New
Headers show
Series [FFmpeg-devel,v3,1/1] avcodec/wmalosslessdec: Return value check for init_get_bits | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 fail Make fate failed
andriy/make_ppc success Make finished
andriy/make_fate_ppc fail Make fate failed

Commit Message

Maryam Ebrahimzadeh Aug. 28, 2021, 7:23 p.m. UTC 
avcodec/wmalosslessdec: Return value check for init_get_bits

Similar to CVE-2021-38171 as the second argument for init_get_bits(avpkt and buf)
can be crafted, a return value check for this function call is necessary.
Also replace init_get_bits with init_get_bits8.


---
 libavcodec/wmalosslessdec.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Comments

Paul B Mahol Aug. 28, 2021, 8:44 p.m. UTC | #1 
It is not that trivial, that breaks fate and normal decoding, otherwise
would be already applied.
Maryam Ebrahimzadeh Aug. 29, 2021, 4:03 a.m. UTC | #2 
Why and where it is breaking normal decoding?
diff mbox series

Patch

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 74c91f4f7e..9de60b61c3 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1187,6 +1187,7 @@  static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     const uint8_t* buf = avpkt->data;
     int buf_size       = avpkt->size;
     int num_bits_prev_frame, packet_sequence_number, spliced_packet;
+    int ret;
 
     s->frame->nb_samples = 0;
 
@@ -1205,7 +1206,9 @@  static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
         s->buf_bit_size      = buf_size << 3;
 
         /* parse packet header */
-        init_get_bits(gb, buf, s->buf_bit_size);
+        ret = init_get_bits8(gb, buf, buf_size);
+        if (ret < 0)
+            return ret;
         packet_sequence_number = get_bits(gb, 4);
         skip_bits(gb, 1);   // Skip seekable_frame_in_packet, currently unused
         spliced_packet = get_bits1(gb);
@@ -1256,7 +1259,9 @@  static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
         int frame_size;
 
         s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
-        init_get_bits(gb, avpkt->data, s->buf_bit_size);
+        ret = init_get_bits8(gb, avpkt->data, (avpkt->size - s->next_packet_start));
+        if (ret < 0)
+            return ret;
         skip_bits(gb, s->packet_offset);
 
         if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size &&