diff mbox series

[FFmpeg-devel,v1,1/1] avcodec/vble: Return value check for init_get_bits

Message ID PAXP193MB1262D52E9DD3F95090EA119AB6CB9@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM
State New
Headers show
Series [FFmpeg-devel,v1,1/1] avcodec/vble: Return value check for init_get_bits | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished

Commit Message

Maryam Ebrahimzadeh Aug. 30, 2021, 3:56 a.m. UTC 
avcodec/vble: Return value check for init_get_bits

Similar to CVE-2021-38171 as the second argument for init_get_bits()
can be crafted, a return value check for this function call is necessary.
Also replace init_get_bits with init_get_bits8.

---
 libavcodec/vble.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Paul B Mahol Aug. 30, 2021, 6:17 a.m. UTC | #1 
Not needed, check is few lines above.
Maryam Ebrahimzadeh Aug. 30, 2021, 8:19 a.m. UTC | #2 
There are some other checks in init_get_bits function that make the function return AVERROR_INVALIDDATA. So it is essential to check the return value.

Line 629 in libavcodec/get_bits.h function init_get_bits_xe:

if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) {
        bit_size    = 0;
        buffer      = NULL;
        ret         = AVERROR_INVALIDDATA;
    }
Paul B Mahol Aug. 30, 2021, 6:08 p.m. UTC | #3 
Then remove old incomplete checks.
diff mbox series

Patch

diff --git a/libavcodec/vble.c b/libavcodec/vble.c
index f1400959e0..041a203fe9 100644
--- a/libavcodec/vble.c
+++ b/libavcodec/vble.c
@@ -146,7 +146,9 @@  static int vble_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     if (version != 1)
         av_log(avctx, AV_LOG_WARNING, "Unsupported VBLE Version: %d\n", version);
 
-    init_get_bits(&gb, src + 4, (avpkt->size - 4) * 8);
+    ret = init_get_bits8(&gb, src + 4, avpkt->size - 4);
+    if (ret < 0)
+        return ret;
 
     /* Unpack */
     if (vble_unpack(ctx, &gb) < 0) {