| Message ID | 20180202221828.3889-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 118e1b0b3370dd1c0da442901b486689efd1654b |
| Headers | show |
On 2/2/18, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: out of array read > Fixes: poc-2017.avi > > Found-by: GwanYeong Kim <gy741.kim@gmail.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/utvideodec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c > index 608c8c4998..1bcd14e74c 100644 > --- a/libavcodec/utvideodec.c > +++ b/libavcodec/utvideodec.c > @@ -676,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx, void > *data, int *got_frame, > for (j = 0; j < c->slices; j++) { > slice_end = bytestream2_get_le32u(&gb); > if (slice_end < 0 || slice_end < slice_start || > - bytestream2_get_bytes_left(&gb) < slice_end) { > + bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) { > av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); > return AVERROR_INVALIDDATA; > } > -- > 2.16.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > Why this magic number 1024LL ?
On Sat, Feb 03, 2018 at 10:16:07AM +0100, Paul B Mahol wrote: > On 2/2/18, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: out of array read > > Fixes: poc-2017.avi > > > > Found-by: GwanYeong Kim <gy741.kim@gmail.com> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/utvideodec.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c > > index 608c8c4998..1bcd14e74c 100644 > > --- a/libavcodec/utvideodec.c > > +++ b/libavcodec/utvideodec.c > > @@ -676,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx, void > > *data, int *got_frame, > > for (j = 0; j < c->slices; j++) { > > slice_end = bytestream2_get_le32u(&gb); > > if (slice_end < 0 || slice_end < slice_start || > > - bytestream2_get_bytes_left(&gb) < slice_end) { > > + bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) { > > av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); > > return AVERROR_INVALIDDATA; > > } > > -- > > 2.16.1 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > Why this magic number 1024LL ? Because of the line later: bytestream2_skipu(&gb, 1024); [...]
On Fri, Feb 02, 2018 at 11:18:28PM +0100, Michael Niedermayer wrote: > Fixes: out of array read > Fixes: poc-2017.avi > > Found-by: GwanYeong Kim <gy741.kim@gmail.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/utvideodec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) will apply [...]
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 608c8c4998..1bcd14e74c 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -676,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < c->slices; j++) { slice_end = bytestream2_get_le32u(&gb); if (slice_end < 0 || slice_end < slice_start || - bytestream2_get_bytes_left(&gb) < slice_end) { + bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) { av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); return AVERROR_INVALIDDATA; }
Fixes: out of array read Fixes: poc-2017.avi Found-by: GwanYeong Kim <gy741.kim@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)