From patchwork Sun Jul 2 21:43:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hein-Pieter van Braam X-Patchwork-Id: 4193 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.1.76 with SMTP id 73csp8611499vsb; Sun, 2 Jul 2017 14:43:56 -0700 (PDT) X-Received: by 10.28.215.145 with SMTP id o139mr12941060wmg.5.1499031836241; Sun, 02 Jul 2017 14:43:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1499031836; cv=none; d=google.com; s=arc-20160816; b=KwrIwhl5egIWtWOAR5tpFV+rpOPQiHmDkhHeuLY3Z92ZhupN2QSHIn4lzFL3s7UKQ6 ICg6omY5PG+nqTBULGCzR9Fk6lFHS94y3anP9Ck9UWOsvXO1iirCcT870oCPt7gveIQ6 6eW4FS7Lu6boOWBpUR7lc5dvZtYi4YZCwT2aoLsyNnmj/ubi0bxbQY+cpXUo+mtLOdNg Pfi+nPwmnd3ASMoyxI//fLdXhMULLHGlHilkypoAEwizkJOm675/6q8k9fmlkr4a7kTH 4npkjfyWOdzZ+EmYwBvTj1paLqIJTcbDI1kCSSrPtQzNhETKHAm5diq7oCx9Un+ADCRU 7wAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :dkim-filter:delivered-to:arc-authentication-results; bh=XIs6CFEsrs1XMepj8tbcJALbCfQerYjNqG0vAJqak0U=; b=IfvlfnnmqxjFzOB30EyuUZEeTYBgg4/InlaLmE1PZWskdJahyC/hPnQCB3qMyxTDIu Rgg8rLd9xhixg4HRNymNt3W1qe4956TWtF0oC6HJjNCHU/q7Xs/zlxM4VwT/VrUocphD a7hhuNu9js5I86Ta+pRLApt38flVsq0mAGDlaKTdSkjQK457LneWopYi6wPpz8tJo3z+ Usj4TCg8/BORnK7Mf9p+P3h7Iu63Or+ivRiKGJwJyyi4GrWzHauCbLpH0GKz2oGjvuMv u6puIR74DZMaLmXQliH1c8vjDb/qw7xq0Rz8u+g+yo7pzkGKxOi10Ze0Vg0ZbUZuB8yt qtcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@tmm.cx header.b=b2lfqblO; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=REJECT dis=NONE) header.from=tmm.cx Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id t62si9060379wmt.160.2017.07.02.14.43.55; Sun, 02 Jul 2017 14:43:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@tmm.cx header.b=b2lfqblO; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=REJECT dis=NONE) header.from=tmm.cx Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 69F1E680D08; Mon, 3 Jul 2017 00:43:52 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from eva.tmm.cx (eva.tmm.cx [5.9.73.21]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 176AE680754 for ; Mon, 3 Jul 2017 00:43:46 +0300 (EEST) Received: from lola.ttg.global (unknown [92.110.172.3]) by eva.tmm.cx (Postfix) with ESMTPSA id AE25C1846DEA; Sun, 2 Jul 2017 21:43:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 eva.tmm.cx AE25C1846DEA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tmm.cx; s=mail; t=1499031827; bh=UJBZ5PWHp2PqJDrX3vuff75ym8C4u09FEzCrQ6uJMA8=; h=From:To:Cc:Subject:Date:From; b=b2lfqblODTg6Pi0kjSzopHKu4fphVLi5DdH86+HW2pyVEFazLsXp7G4xhGprMCWEv 9HlaXHTFj+rRrRdI1Ga4ybAh48420ZccUNaM5FvcqvCtW8pt9Oj1VX2CLujYfVBqj0 CIJrNHcGdXjC/nWMCGPazrcikbg07PbYb4pk1O2k= From: Hein-Pieter van Braam To: FFmpeg development discussions and patches Date: Sun, 2 Jul 2017 23:43:27 +0200 Message-Id: <20170702214327.26804-1-hp@tmm.cx> X-Mailer: git-send-email 2.9.4 X-Spam-Status: No, score=0.0 required=2.4 tests=UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on eva.tmm.cx Subject: [FFmpeg-devel] [PATCH v2] avcodec/interplayvideo: Check sizes of decode buffers X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Hein-Pieter van Braam MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: 6503 crash with fuzzed file Signed-off-by: Hein-Pieter van Braam --- libavcodec/interplayvideo.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index d6f484a..86530e6 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -972,6 +972,8 @@ static void ipvideo_decode_format_06_opcodes(IpvideoContext *s, AVFrame *frame) x, y, opcode, bytestream2_tell(&s->stream_ptr)); s->pixel_ptr = frame->data[0] + x + y * frame->linesize[0]; + if (s->pixel_ptr > (s->pixel_ptr + s->upper_motion_limit_offset)) + return; ipvideo_format_06_passes[pass](s, frame, opcode); } } @@ -1043,6 +1045,12 @@ static void ipvideo_decode_format_10_opcodes(IpvideoContext *s, AVFrame *frame) for (y = 0; y < s->avctx->height; y += 8) { for (x = 0; x < s->avctx->width; x += 8) { s->pixel_ptr = s->cur_decode_frame->data[0] + x + y * s->cur_decode_frame->linesize[0]; + if (s->pixel_ptr > s->pixel_ptr + s->upper_motion_limit_offset) + return; + + if (s->cur_decode_frame->width != s->avctx->width || + s->cur_decode_frame->height != s->avctx->height) + return; while (skip <= 0) { if (skip != -0x8000 && skip) {