[FFmpeg-devel] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

Submitted by Matthew Wolenetz on Dec. 14, 2016, 11:39 p.m.

Details

Message ID CAADho6NYMw9g5NdB=MnGL8d2xvBWgQmDW9w5rEd8Twe1RwBVyA@mail.gmail.com
State New
Headers show

Commit Message

Matthew Wolenetz Dec. 14, 2016, 11:39 p.m.
Similar to existing lavc/vorbisdec.c code which first checks that
avc->channels is valid for accessing ff_vorbis_channel_layouts, this
change adds protection to libopusdec.c to prevent accessing that
array with a negative index. Reference https://crbug.com/666794.

Comments

Andreas Cadhalpun Dec. 15, 2016, 1:43 a.m.
On 15.12.2016 00:39, Matthew Wolenetz wrote:
> From 141e56ccf7fc56646424484d357b6c74a486d2e2 Mon Sep 17 00:00:00 2001
> From: Matt Wolenetz <wolenetz@chromium.org>
> Date: Mon, 21 Nov 2016 17:30:50 -0800
> Subject: [PATCH] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB
> 
> Similar to existing lavc/vorbisdec.c code which first checks that
> avc->channels is valid for accessing ff_vorbis_channel_layouts, this
> change adds protection to libopusdec.c to prevent accessing that
> array with a negative index. Reference https://crbug.com/666794.
> ---
>  libavcodec/libopusdec.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c
> index acc62f1..c2c7adc 100644
> --- a/libavcodec/libopusdec.c
> +++ b/libavcodec/libopusdec.c
> @@ -50,6 +50,10 @@ static av_cold int libopus_decode_init(AVCodecContext *avc)
>      avc->sample_rate    = 48000;
>      avc->sample_fmt     = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ?
>                            AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16;
> +    if (avc->channels <= 0) {
> +        av_log(avc, AV_LOG_ERROR, "Invalid number of channels\n");
> +        return AVERROR(EINVAL);
> +    }
>      avc->channel_layout = avc->channels > 8 ? 0 :
>                            ff_vorbis_channel_layouts[avc->channels - 1];
>  

What version of ffmpeg is this based on?

I'm pretty sure I fixed this issue with commit
8c8f543b81aa2b50bb6a6cfd370a0061281492a3.

Best regards,
Andreas
Matthew Wolenetz Dec. 15, 2016, 7:05 p.m.
Ah, you're right. My fix was based on a slightly earlier version that
didn't yet have your fix in it. Disregard my patch.

Matt

On Wed, Dec 14, 2016 at 5:43 PM, Andreas Cadhalpun <
andreas.cadhalpun@googlemail.com> wrote:

> On 15.12.2016 00:39, Matthew Wolenetz wrote:
> > From 141e56ccf7fc56646424484d357b6c74a486d2e2 Mon Sep 17 00:00:00 2001
> > From: Matt Wolenetz <wolenetz@chromium.org>
> > Date: Mon, 21 Nov 2016 17:30:50 -0800
> > Subject: [PATCH] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB
> >
> > Similar to existing lavc/vorbisdec.c code which first checks that
> > avc->channels is valid for accessing ff_vorbis_channel_layouts, this
> > change adds protection to libopusdec.c to prevent accessing that
> > array with a negative index. Reference https://crbug.com/666794.
> > ---
> >  libavcodec/libopusdec.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c
> > index acc62f1..c2c7adc 100644
> > --- a/libavcodec/libopusdec.c
> > +++ b/libavcodec/libopusdec.c
> > @@ -50,6 +50,10 @@ static av_cold int libopus_decode_init(AVCodecContext
> *avc)
> >      avc->sample_rate    = 48000;
> >      avc->sample_fmt     = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ?
> >                            AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16;
> > +    if (avc->channels <= 0) {
> > +        av_log(avc, AV_LOG_ERROR, "Invalid number of channels\n");
> > +        return AVERROR(EINVAL);
> > +    }
> >      avc->channel_layout = avc->channels > 8 ? 0 :
> >                            ff_vorbis_channel_layouts[avc->channels - 1];
> >
>
> What version of ffmpeg is this based on?
>
> I'm pretty sure I fixed this issue with commit
> 8c8f543b81aa2b50bb6a6cfd370a0061281492a3.
>
> Best regards,
> Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

Patch hide | download patch | download mbox

From 141e56ccf7fc56646424484d357b6c74a486d2e2 Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@chromium.org>
Date: Mon, 21 Nov 2016 17:30:50 -0800
Subject: [PATCH] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

Similar to existing lavc/vorbisdec.c code which first checks that
avc->channels is valid for accessing ff_vorbis_channel_layouts, this
change adds protection to libopusdec.c to prevent accessing that
array with a negative index. Reference https://crbug.com/666794.
---
 libavcodec/libopusdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c
index acc62f1..c2c7adc 100644
--- a/libavcodec/libopusdec.c
+++ b/libavcodec/libopusdec.c
@@ -50,6 +50,10 @@  static av_cold int libopus_decode_init(AVCodecContext *avc)
     avc->sample_rate    = 48000;
     avc->sample_fmt     = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ?
                           AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16;
+    if (avc->channels <= 0) {
+        av_log(avc, AV_LOG_ERROR, "Invalid number of channels\n");
+        return AVERROR(EINVAL);
+    }
     avc->channel_layout = avc->channels > 8 ? 0 :
                           ff_vorbis_channel_layouts[avc->channels - 1];
 
-- 
2.8.0.rc3.226.g39d4020