[FFmpeg-devel] rpza: fix the bounds check

Submitted by Xiao Yang on June 21, 2018, 3:46 a.m.

Details

Message ID SIXPR01MB0560F1B1EB1140C47DDC749DAD760@SIXPR01MB0560.apcprd01.prod.exchangelabs.com
State New
Headers show

Commit Message

Xiao Yang June 21, 2018, 3:46 a.m.
Fixes invalid writes when there are more blocks in a run than total remaining blocks

(see CVE-2014-8548)
---
 libavcodec/rpza.c |    5 +++++
 1 file changed, 5 insertions(+)

Comments

Carl Eugen Hoyos June 21, 2018, 8:23 a.m.
2018-06-21 5:46 GMT+02:00, Xiao Yang <YangX92@hotmail.com>:
> Fixes invalid writes when there are more blocks in a run
> than total remaining blocks

Please provide a test-case that allows to reproduce the
issue your patch fixes.

> (see CVE-2014-8548)
> ---
>  libavcodec/rpza.c |    5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
> index b71ebd1..7cb6b89 100644
> --- a/libavcodec/rpza.c
> +++ b/libavcodec/rpza.c
> @@ -68,6 +68,11 @@ typedef struct RpzaContext {
>              row_ptr  += stride * 4; \
>          }                           \
>          total_blocks--;             \
> +        if (total_blocks < !!n_blocks) \
> +        { \
> +            av_log(s->avctx, AV_LOG_INFO, "warning: block
> counter just went negative (this should not happen)\n"); \

> +            return; \

This produces several warnings at compile time, please fix them.

Carl Eugen

Patch hide | download patch | download mbox

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index b71ebd1..7cb6b89 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -68,6 +68,11 @@  typedef struct RpzaContext {
             row_ptr  += stride * 4; \
         }                           \
         total_blocks--;             \
+        if (total_blocks < !!n_blocks) \
+        { \
+            av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \
+            return; \
+        } \
     }
 
 static int rpza_decode_stream(RpzaContext *s)