Message ID | 20210719221628.3267604-1-tfoucu@gmail.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] libavcodec/mpeg12dec.c: Check return value of init_get_bits | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
Thierry Foucu: > --- > libavcodec/mpeg12dec.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c > index b27ed5bd6d..edca202f0e 100644 > --- a/libavcodec/mpeg12dec.c > +++ b/libavcodec/mpeg12dec.c > @@ -1341,8 +1341,11 @@ static int mpeg1_decode_picture(AVCodecContext *avctx, const uint8_t *buf, > Mpeg1Context *s1 = avctx->priv_data; > MpegEncContext *s = &s1->mpeg_enc_ctx; > int ref, f_code, vbv_delay; > + int ret = 0; > > - init_get_bits(&s->gb, buf, buf_size * 8); > + ret = init_get_bits(&s->gb, buf, buf_size * 8); > + if (ret < 0) > + return ret; > > ref = get_bits(&s->gb, 10); /* temporal ref */ > s->pict_type = get_bits(&s->gb, 3); > Actually, you should use init_get_bits8(), because this checks that buf_size * 8 actually fits into an int. (Are sizes > 256MiB actually possible for mpeg1/2? I doubt it.) - Andreas
On Mon, Jul 19, 2021 at 3:50 PM Andreas Rheinhardt < andreas.rheinhardt@outlook.com> wrote: > Thierry Foucu: > > --- > > libavcodec/mpeg12dec.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c > > index b27ed5bd6d..edca202f0e 100644 > > --- a/libavcodec/mpeg12dec.c > > +++ b/libavcodec/mpeg12dec.c > > @@ -1341,8 +1341,11 @@ static int mpeg1_decode_picture(AVCodecContext > *avctx, const uint8_t *buf, > > Mpeg1Context *s1 = avctx->priv_data; > > MpegEncContext *s = &s1->mpeg_enc_ctx; > > int ref, f_code, vbv_delay; > > + int ret = 0; > > > > - init_get_bits(&s->gb, buf, buf_size * 8); > > + ret = init_get_bits(&s->gb, buf, buf_size * 8); > > + if (ret < 0) > > + return ret; > > > > ref = get_bits(&s->gb, 10); /* temporal ref */ > > s->pict_type = get_bits(&s->gb, 3); > > > Actually, you should use init_get_bits8(), because this checks that > buf_size * 8 actually fits into an int. > Done. Sent new patch > (Are sizes > 256MiB actually possible for mpeg1/2? I doubt it.) > it could happen if the file is broken and the demuxer does not check for packet size - Andreas > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index b27ed5bd6d..edca202f0e 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1341,8 +1341,11 @@ static int mpeg1_decode_picture(AVCodecContext *avctx, const uint8_t *buf, Mpeg1Context *s1 = avctx->priv_data; MpegEncContext *s = &s1->mpeg_enc_ctx; int ref, f_code, vbv_delay; + int ret = 0; - init_get_bits(&s->gb, buf, buf_size * 8); + ret = init_get_bits(&s->gb, buf, buf_size * 8); + if (ret < 0) + return ret; ref = get_bits(&s->gb, 10); /* temporal ref */ s->pict_type = get_bits(&s->gb, 3);