From patchwork Sun Jul 2 21:24:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hein-Pieter van Braam X-Patchwork-Id: 4192 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.1.76 with SMTP id 73csp8595845vsb; Sun, 2 Jul 2017 14:25:07 -0700 (PDT) X-Received: by 10.223.173.140 with SMTP id w12mr35842166wrc.4.1499030707166; Sun, 02 Jul 2017 14:25:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1499030707; cv=none; d=google.com; s=arc-20160816; b=Rwo5H5CR66NkDWsndyr3YTE+wTu7eeK474/oghY3UEXmohGb3Z9ABmyfwaqlePjthp ton4a2aCeBsX+/+1RD2H0JUr013RwZjdVW9OyXGoaM9v6r5ijPuXAdH4KtDgFsiq+81v hIb+mPti9WhtMxlikHHLgkh0T1phSlNkacgpNPwoSm4PYbaRTiRlwRR3mqb05Mm9H40K fgigv+iWOQPa7TrXuo1lcBxThpYankaNrbOAKZsUUffEzFp39hFU+2hN7W6XNKkbYTYQ ZLy3SCpr31LMTL+AMh+SLXmZSXamHL1TGcZ1ybnKbJFwtu9khgJ4nENjZ8rqr2PX6lmZ cRHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :dkim-filter:delivered-to:arc-authentication-results; bh=d9DchSb/1SRygXZUMqz93O35jSEFFLygcgAsWY9ap7A=; b=KKn18kgJXnCFBRyffyCYMt9hQQAvNta0CzmPvjF+eZJ1q0mR5z2Ml/wUxDA15N/ka3 UBZnEc+4y8wmdgblFT+8sU+eRnJw+z1AM5eiIKXYWDUiRaVQBrNWQHvdzx+EjJIdbAdj ln6u/KrOiG80aJ62vxawc3NWsgNJg5NTuIPR8J/b4hoOxngK/6/au3oikY/pcQmbImNo iPHORq8c0grAytwC+IGFqq5zSUkOQN48SRRxXii2Q8pU+jFSpIPaL7lf/rb6auX5/HAy OKrEnPA9U/XRZz8OxPUYkTWWEYeCWsalOeA21My+/aHG1tGTGXD5M3pmpePN4bstfco2 pyJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@tmm.cx header.b=lSnpga4Y; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=REJECT dis=NONE) header.from=tmm.cx Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id d40si10555983wrd.163.2017.07.02.14.25.06; Sun, 02 Jul 2017 14:25:07 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@tmm.cx header.b=lSnpga4Y; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=REJECT dis=NONE) header.from=tmm.cx Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DEF746808CD; Mon, 3 Jul 2017 00:25:01 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from eva.tmm.cx (eva.tmm.cx [5.9.73.21]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0917968059D for ; Mon, 3 Jul 2017 00:24:55 +0300 (EEST) Received: from lola.ttg.global (unknown [92.110.172.3]) by eva.tmm.cx (Postfix) with ESMTPSA id 8CF6F1846B2E; Sun, 2 Jul 2017 21:24:54 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 eva.tmm.cx 8CF6F1846B2E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tmm.cx; s=mail; t=1499030696; bh=1/v95WCN4NMAcylUUl9IsnDus1UvXOlnpCLRRGLqLWs=; h=From:To:Cc:Subject:Date:From; b=lSnpga4Yap+F95kDEcQB0WnUcFevwOzh+fhM8fi41Ls5eVTwcAlMKERXgUpLQwh/r Nbx5bdqQeLP68JW8OSzkbMIT1clDMD3J+7B6o1VfxJi6HVh+JlIZyXIOUiZgGjuEys 7/CBD7hx+Rx/qN5n/lw23uKtHiPJTQpGb8nNXuHg= From: Hein-Pieter van Braam To: FFmpeg development discussions and patches Date: Sun, 2 Jul 2017 23:24:48 +0200 Message-Id: <20170702212448.23891-1-hp@tmm.cx> X-Mailer: git-send-email 2.9.4 X-Spam-Status: No, score=0.0 required=2.4 tests=UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on eva.tmm.cx Subject: [FFmpeg-devel] [PATCH] avcodec/interplayvideo: Check sizes of decode buffers X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Hein-Pieter van Braam MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: 6503 crash with fuzzed file --- libavcodec/interplayvideo.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index d6f484a..4b0e36d 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -972,6 +972,8 @@ static void ipvideo_decode_format_06_opcodes(IpvideoContext *s, AVFrame *frame) x, y, opcode, bytestream2_tell(&s->stream_ptr)); s->pixel_ptr = frame->data[0] + x + y * frame->linesize[0]; + if (s->pixel_ptr >= (s->pixel_ptr + s->upper_motion_limit_offset)) + return; ipvideo_format_06_passes[pass](s, frame, opcode); } } @@ -1043,6 +1045,12 @@ static void ipvideo_decode_format_10_opcodes(IpvideoContext *s, AVFrame *frame) for (y = 0; y < s->avctx->height; y += 8) { for (x = 0; x < s->avctx->width; x += 8) { s->pixel_ptr = s->cur_decode_frame->data[0] + x + y * s->cur_decode_frame->linesize[0]; + if (s->pixel_ptr > s->pixel_ptr + s->upper_motion_limit_offset) + return; + + if (s->cur_decode_frame->width != s->avctx->width || + s->cur_decode_frame->height != s->avctx->height) + return; while (skip <= 0) { if (skip != -0x8000 && skip) {