From patchwork Mon Mar 6 14:51:51 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?TWljaGHFgsKgS3Jhc293c2tp?= X-Patchwork-Id: 2767 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.50.79 with SMTP id y76csp119535vsy; Mon, 6 Mar 2017 06:59:37 -0800 (PST) X-Received: by 10.28.165.147 with SMTP id o141mr13641783wme.67.1488812377211; Mon, 06 Mar 2017 06:59:37 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id p7si14931232wmp.111.2017.03.06.06.59.36; Mon, 06 Mar 2017 06:59:37 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@opera-com.20150623.gappssmtp.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9AC226805FF; Mon, 6 Mar 2017 16:59:21 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com [74.125.82.52]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EA95E6805FF for ; Mon, 6 Mar 2017 16:59:14 +0200 (EET) Received: by mail-wm0-f52.google.com with SMTP id v186so66164210wmd.0 for ; Mon, 06 Mar 2017 06:59:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opera-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=fsgIn4Vy9JOSeCr4JpKfU3+UtJWAwHRohV2ECCzsS1A=; b=1EeKSkIOkuXX1ns3MnNGuQ9ol+a8gokiPyE8gphogaCArRFBS7rrfSwRt1hXCRQlMu DEq/i0pqMYGJNRInaQ6phkmQKymtr3/mNLxIbL4fkHlvqZ+a4b8iW0rlE3idL/sDs1Te PUZ3dBqyPT+w9HtNI93fdWZQgsjAvYiMQf9u393Arcm61zfEs/Z5jSvcAa8kJm8rLPAi 5v1RgMaFfwFxqW9bJpA5H2lhmC7A+sFpQPeDZvkMbD9Zh0o9KOYIFsiwAQKzR45Pb/AY AQs1aPXLK/8BTDT5PS7TSPOixotqG9BfeEjk3NCgBsf4q0gi6mwmjOWfqxNu9rB/2ULc bFkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=fsgIn4Vy9JOSeCr4JpKfU3+UtJWAwHRohV2ECCzsS1A=; b=dXQCUiUPUE69y2Jrj8pmOiEuJhttSBZdtUUKuOEdm1SyUMKgd3GoCqDzCrXJb9d9GL NsJesZgaiT6xVGlR27QAWRYHPX9mUd5wMLw9cWv9IwllA+SJN2+HutD9IK+mTg+wM+u1 iWUkKHKqmgHdjPVENwuJ+Sd1ajz7S2t1yfr1ZSgPsNLRRX7XDItXxEr8kagckSHdYONa kNsI9xQZCw+UqwxATZDSo3xVgaPrOxrkm9tCmYOcB3uLWzFOiA3JsYXdvO+2GiAKfnTa 0FnocB2p/aqwc8UFNmUExA/zzWyssrrlmSIbXtKeq4198apcVZyzBL5xs41mqUxiV/WG vhqQ== X-Gm-Message-State: AMke39lilVb+tir/QpmJMD6fT4cCnAEaK42DhB4wVJ4xVntYOZgKsU8qHB+VP2jaFA4O8JgX X-Received: by 10.28.6.78 with SMTP id 75mr14680821wmg.81.1488811920674; Mon, 06 Mar 2017 06:52:00 -0800 (PST) Received: from mkrasowski.wroclaw.osa ([91.241.2.251]) by smtp.gmail.com with ESMTPSA id m201sm15215107wmd.19.2017.03.06.06.51.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 06 Mar 2017 06:52:00 -0800 (PST) From: =?UTF-8?q?Micha=C5=82=C2=A0Krasowski?= To: FFmpeg development discussions and patches Date: Mon, 6 Mar 2017 15:51:51 +0100 Message-Id: <20170306145151.19939-1-mkrasowski@opera.com> X-Mailer: git-send-email 2.11.0 Subject: [FFmpeg-devel] [PATCH] Fix off-by-few crasher in ff_h2645_extract_rbsp function X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: =?UTF-8?q?Micha=C5=82=C2=A0Krasowski?= MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" It seems that the loop tried to access the memory regions beyond allocation, what caused crashes in not-so-rare cases, when the memory read did not belong to current process. This change is fixing the out-of-bounds read problem. Compiling this function with -fsanitize=address and running doesn't result in sanitizer warning as before. --- libavcodec/h2645_parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index c3961a5e90..ccb65eabfe 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -52,7 +52,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, while (src[i]) \ i++ #if HAVE_FAST_64BIT - for (i = 0; i + 1 < length; i += 9) { + for (i = 0; i + 8 < length; i += 9) { if (!((~AV_RN64A(src + i) & (AV_RN64A(src + i) - 0x0100010001000101ULL)) & 0x8000800080008080ULL)) @@ -62,7 +62,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, i -= 7; } #else - for (i = 0; i + 1 < length; i += 5) { + for (i = 0; i + 4 < length; i += 5) { if (!((~AV_RN32A(src + i) & (AV_RN32A(src + i) - 0x01000101U)) & 0x80008080U))