From patchwork Thu Sep 19 22:16:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 15167 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 326ED448C54 for ; Fri, 20 Sep 2019 01:32:38 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0E91B689EE7; Fri, 20 Sep 2019 01:32:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4B24A689E19 for ; Fri, 20 Sep 2019 01:32:31 +0300 (EEST) Received: by mail-wr1-f66.google.com with SMTP id r3so4762710wrj.6 for ; Thu, 19 Sep 2019 15:32:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9u2fSiTl3V9Vr3eWFbq/jx+iWrFYxvkpSVX4ZVC4ydo=; b=WZnjf6wQVXyVvKCbG/tpIlvQepRoUI3JKg3FHgvNUnKvIof1xlzedJW334XC/2OoqD Tpk3TdBtefFGVDSL7HqMfz8Nu+9qLJOd+LXN5NCqOkWVE1h13/mtFenGQdobytR1kn1M y2IZY7BSiuTTY1Ti70Myv5gST86sqKGGeW+cP/cfb7z/pH0xTBFXVUEKk4/l9AGP51Y2 M6F9EKMQ4uExOp34p2by4eXa4bfn8WmA73U/0bMpqOi/2UOFq0YU7MyqvNwnelihRSBO 620EJaSJXKEDJvYljiHGjgKhISp3wdGbLvRIt06fukU7PD/S8Um5XgIGrKHFNoIRT+Kw e/Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9u2fSiTl3V9Vr3eWFbq/jx+iWrFYxvkpSVX4ZVC4ydo=; b=eAO2OoFtsJ5V4c8tazLCymmhsggKqT16qe9WlnlfcFlr+O/BwnO7XBgwxgUlFh2KdJ WdmYJAZKt9E2AhzcKMEiizyabNq/AajFCVzk2AskzFwOcD/BsINau9hqVSldemz1+lfN cgyRfeKB2KUrcVg0VnRzDTVfDYIjn0D1cM75UokQ4cdYage2nzDjM1zpAetCJJaAGJCh 0j0L94cp0ZSkAsQeZsS/rhmoS963UVK7rLsv0mFgHU+RegmNyPe3jhT/yR1gz89JeegS 2SREuMM/6bgOmC8P+OE8QpVTqzOqZEqExBNyHPifnPzB7onvBrtGBvT5EV6wmBBkUgW/ wRDQ== X-Gm-Message-State: APjAAAVca0GyL4mUaKqp7uoQuSKTuhNuOh7rtUDda9WWnzWy85/gOTJN vZ8aVGBrOnuLEEWhtB52nc4pL10N X-Google-Smtp-Source: APXvYqzsrvd6E+cEIf3CT0kF55pO/FZmcC7++q8hlEYlY8aqnR4uovK0JxZE0idHg7kSYnTQRqVZZA== X-Received: by 2002:a5d:5111:: with SMTP id s17mr9002449wrt.59.1568931865742; Thu, 19 Sep 2019 15:24:25 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc0f857.dynamic.kabel-deutschland.de. [188.192.248.87]) by smtp.gmail.com with ESMTPSA id y12sm49955wrn.74.2019.09.19.15.24.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Sep 2019 15:24:25 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Fri, 20 Sep 2019 00:16:57 +0200 Message-Id: <20190919221706.16529-3-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190919221706.16529-1-andreas.rheinhardt@gmail.com> References: <20190919221706.16529-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 02/11] avcodec/mpeg12dec: Sanitize start codes earlier X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The MPEG-1/2 decoder uses avpriv_find_start_code to search for start codes and worked with the resulting start code before checking that it is really a start code of a slice. In particular, if the picture is so big that a slice_vertical_position_extension is present, it added the slice_vertical_position_extension as if it had a slice. Then a left shift is performed, without making sure that the value to be shifted is nonnegative. Afterwards the end result is checked, but even if a start code of a non-slice has been found, it might pass these checks: If slice_vertical_position_extension is present a start code < SLICE_MIN_START_CODE can lead to a macroblock-row index that appears valid. Furthermore, the left shift might make an invalid start code appear valid by discarding the highest bit. This has been fixed by checking directly after avpriv_find_start_code has returned. Fixes ticket #8162 (which is about the undefined left shifts). Signed-off-by: Andreas Rheinhardt --- libavcodec/mpeg12dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 83e537884b..1904b75213 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2011,13 +2011,15 @@ static int slice_decode_thread(AVCodecContext *c, void *arg) start_code = -1; buf = avpriv_find_start_code(buf, s->gb.buffer_end, &start_code); + if (start_code < SLICE_MIN_START_CODE || start_code > SLICE_MAX_START_CODE) + return AVERROR_INVALIDDATA; mb_y = start_code - SLICE_MIN_START_CODE; if (s->codec_id != AV_CODEC_ID_MPEG1VIDEO && s->mb_height > 2800/16) mb_y += (*buf&0xE0)<<2; mb_y <<= field_pic; if (s->picture_structure == PICT_BOTTOM_FIELD) mb_y++; - if (mb_y < 0 || mb_y >= s->end_mb_y) + if (mb_y >= s->end_mb_y) return AVERROR_INVALIDDATA; } }