From patchwork Tue Sep 15 07:39:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 22403 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 1F4EB44937C for ; Tue, 15 Sep 2020 10:43:20 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3361568BC11; Tue, 15 Sep 2020 10:40:58 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 28C6268BA1F for ; Tue, 15 Sep 2020 10:40:49 +0300 (EEST) Received: by mail-wm1-f66.google.com with SMTP id b79so2352101wmb.4 for ; Tue, 15 Sep 2020 00:40:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Qb84uXx4CVnCkOeNu9PALW5WnscZzvZEL7w6/RYTVdE=; b=n0UUvPIpxSYB6n+ER8R3BpcfCq/uwjPJ1kbjrNUqPH7qv7SLAVTTwFv+o/dMi5VcHZ NIV7btOR35mATZfJiPbZiYGF49EqbQmYqqbseuWjNEgubo6giLgGWIlV6OUalfIlE+jJ g+U5R7OVefciqNdvRtFNr+BKuzuYWSEjP/2jWkCle9D1jgR1vibLZXiO98DmFa+fgdq+ gBPDis8ei4x4udX0wCfbUpryGDeZ2yOqCSlfXdW3+doq8Kk5DGenEH63/diPVZZDbuXR ku6l3mk8F3BknlHhSil/+aybkeYldR8nXGc940q3dZX8kQbM12mnIH3z5vWh+pydyKOY 7WeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Qb84uXx4CVnCkOeNu9PALW5WnscZzvZEL7w6/RYTVdE=; b=WB0cu4V5jxYcinOHwcfOczErEx0FrYzL+JcdP1MLxq9/14GpMA7kWzr9SerBmJl1r4 crkoL6RH9cJMkRoOsfSbVRKsy8n94/s7f3fIIzBACegABi3/mj8TsxgLiTW2EH/Jvwlx 0AtuEQAx5HZzO+ztCWSg8FJ9bUrI3kO8EYtpIFnFU0w+ObGcza8FNQGqs48AWV2UVSHI 8RJakPG/cXXyoY62UvE6vugI3VF+3b6N0k96rGJwD/PIBixwNoJorvmd5lbB9UG0TN7r 5JciUjWgy7kGwCFMKkjMHBXdns7OU1YKJ0mayxA6Um9SnV9D2XFllBw/E93c79rOXPrS kXQA== X-Gm-Message-State: AOAM530cQYYfS/OY7rLmOiHq7u53Zgf/vzy6CjCV46DH6ofKJ70lcG5o ft8oAN3Bk7aST3QuvuweSdJh0zZkTXI= X-Google-Smtp-Source: ABdhPJwIccuIcvTyNfSX/whY8gewl8nlBIUcAOW0jcJktf6zRWI3o7Ybw16TS9cq8d1l0Krq7EEf1A== X-Received: by 2002:a1c:e1d6:: with SMTP id y205mr3242838wmg.92.1600155648261; Tue, 15 Sep 2020 00:40:48 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1fb0f.dynamic.kabel-deutschland.de. [188.193.251.15]) by smtp.gmail.com with ESMTPSA id d23sm6112125wmb.6.2020.09.15.00.40.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Sep 2020 00:40:47 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Tue, 15 Sep 2020 09:39:52 +0200 Message-Id: <20200915074000.102622-22-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200915074000.102622-1-andreas.rheinhardt@gmail.com> References: <20200915074000.102622-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 22/30] avcodec/mobiclip: Fix heap-buffer-overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The MobiClip decoder uses adjacent pixels for prediction; yet when accessing the left pixel, it was forgotten to clip the x coordinate. This results in an heap-buffer-overflow. It can e.g. be reproduced with the sample from https://samples.ffmpeg.org/V-codecs/MOHD/crap.avi when forcing the video decoder to mobiclip. Signed-off-by: Andreas Rheinhardt --- libavcodec/mobiclip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mobiclip.c b/libavcodec/mobiclip.c index 8758e7f617..47387fce90 100644 --- a/libavcodec/mobiclip.c +++ b/libavcodec/mobiclip.c @@ -905,7 +905,7 @@ static int predict_intra(AVCodecContext *avctx, AVFrame *frame, int ax, int ay, int arr1[16]; int arr2[16]; uint8_t *top = frame->data[plane] + FFMAX(ay - 1, 0) * frame->linesize[plane] + ax; - uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + ax - 1; + uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + FFMAX(ax - 1, 0); int bottommost = frame->data[plane][(ay + size - 1) * frame->linesize[plane] + FFMAX(ax - 1, 0)]; int rightmost = frame->data[plane][FFMAX(ay - 1, 0) * frame->linesize[plane] + ax + size - 1]; int avg = (bottommost + rightmost + 1) / 2 + 2 * get_se_golomb(gb);