From patchwork Sun Jul 3 14:18:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 36636 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:8b27:b0:88:1bbf:7fd2 with SMTP id l39csp2247492pzh; Sun, 3 Jul 2022 07:19:17 -0700 (PDT) X-Google-Smtp-Source: AGRyM1t+ecrB3scZtrBKS7ErzX3mcw3fPww6zFnLdHMo93tFlZTbE4FgtiEPJcYZRyKPvE1x2EIP X-Received: by 2002:a17:907:7781:b0:6fe:4398:47b3 with SMTP id ky1-20020a170907778100b006fe439847b3mr24154525ejc.513.1656857957305; Sun, 03 Jul 2022 07:19:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656857957; cv=none; d=google.com; s=arc-20160816; b=kIIFdUMvxbewlkjSzYZMYcySmYxA/m/1Y7VEh2LIjJZYqHQTD9GdXKjcXbqApzbXHk H372eMdNeisicTn+FodhPTw5A0VabU0oISi9DLdHijkcPj8HceN9gUHLdZT/+35/lB4Y hpIJ4xkcF1AEryQUFj8lpFblIUdjaHyxRD8vGeHW7gRc9tbeYDO5GQ5S078K4QpnL3LU L+PFjEtRNPD+jongEHIPPNcPA6+z1mE7qbdNKrmLoNeqzaQSSrmuDONKYuqEBh7VuyOn XyGZrJOqdL/hTRXK9vGa0XyXPhAtEQXFyG9ELY7MoLX2Rw0ZtBr2HFbceDQgSfsPGfvN mHEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=0JqYnG5/9aVc9vEQN51LZirEMV4VD5b3+7aoPo4EYDY=; b=FAadtxb8uRstW8IvqPIJ3iTqAbkhdo5h6z2x4Ouh81dZu/HqkPoujF8WXdgo1+N2sI 9oHIgzLyk57iaCAMvgL5j1x87py94XMs/qlZ4pzecyWppNcgoha8lA7TR9DquwdveG0C wt+TELnLMm0Y5SCNHI1Nk9nHlqg2IDj8FzFAyWJq+5rdQhrUul7As2A6p34burQHT8hv MHlHr0OHIJP3S21KQUmp6ngxXjUy2DXeR49M5spJ6MSjDLT/nvY4A2ILf8ttIW/zaX56 99jsVohCE92gXAM1pUX/qooyaNBdn41DwiYxm4wvhAWj87KxddksIgnnxUk2RreNQ6DG njCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o23-20020a170906775700b007084cb35e5esi1118600ejn.442.2022.07.03.07.19.17; Sun, 03 Jul 2022 07:19:17 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1A1D168BA04; Sun, 3 Jul 2022 17:19:15 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-at02-2.mx.upcmail.net (vie01a-dmta-at02-2.mx.upcmail.net [62.179.121.149]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 12D6268B9E3 for ; Sun, 3 Jul 2022 17:19:12 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-at02.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1o80RM-0008Nx-1V for ffmpeg-devel@ffmpeg.org; Sun, 03 Jul 2022 16:19:12 +0200 Received: from ren-mail-psmtp-mg01. ([80.109.253.241]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 80QmoJShY8s8U80RMog5eF; Sun, 03 Jul 2022 16:19:12 +0200 Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP id 80QOou6WgOPqF80QOoCsMi; Sun, 03 Jul 2022 16:18:12 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.4 cv=OcX7sjfY c=1 sm=1 tr=0 ts=62c1a524 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=1Psjy5D6vV93uVQwh8cA:9 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 3 Jul 2022 16:18:09 +0200 Message-Id: <20220703141811.29914-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220703141811.29914-1-michael@niedermayer.cc> References: <20220703141811.29914-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBIxgh0/Nl3inO7yro+ppqwGR2lbLQPdH7jbdoTbhAUjz+fnpXuzE08tYZfz0xiJvpOve35G1S5eg6UmgAJ2ESaFPv3gQpYkfs8ERIdnkHChuf/8vGk0 afXw4FR873rpbBZPugE0L/ivKf7HG4TY00wpC3lCYenjAAd0VykTHM2b4aKe5bpwBdPsOs0DL2KXrg== Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: zFMRynuSNuaV This limit is possibly not reachable due to other restrictions on buffers but the decoder run table is too small beyond this, so explicitly check for it. Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 365f8b77a7..7731c15c87 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -187,6 +187,9 @@ static int decode_slice_header(const FFV1Context *f, FFV1Context *fs) || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) return -1; + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; + for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0);