diff mbox series

[FFmpeg-devel] avformat/oggparseflac: check init_get_bits' result

Message ID 20230530212136.1368389-1-paul.arzelier@free.fr
State Accepted
Commit a9042db1d30483639b3ca610b74a7d43f29ea1a9
Headers show
Series [FFmpeg-devel] avformat/oggparseflac: check init_get_bits' result | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Paul Arzelier May 30, 2023, 9:21 p.m. UTC 
From: Polochon-street <polochonstreet@gmx.fr>

Check init_get_bits' result for NULL, to avoid dereferencing a NULL
pointer later (CWE-476).
Without this, a segfault happens when trying to decode a handcrafted
ogg-flac file with an absurdly long (e.g. 268435455 bytes) ogg header.

Thanks to jamrial for basically writing this patch after I reported the bug!

Signed-off-by: Paul Arzelier <paul.arzelier@free.fr>
---
 libavformat/oggparseflac.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

James Almer May 30, 2023, 9:28 p.m. UTC | #1 
On 5/30/2023 6:21 PM, Paul Arzelier wrote:
> From: Polochon-street <polochonstreet@gmx.fr>
> 
> Check init_get_bits' result for NULL, to avoid dereferencing a NULL
> pointer later (CWE-476).
> Without this, a segfault happens when trying to decode a handcrafted
> ogg-flac file with an absurdly long (e.g. 268435455 bytes) ogg header.
> 
> Thanks to jamrial for basically writing this patch after I reported the bug!
> 
> Signed-off-by: Paul Arzelier <paul.arzelier@free.fr>

Applied.
diff mbox series

Patch

diff --git a/libavformat/oggparseflac.c b/libavformat/oggparseflac.c
index eef6e09927..557440d94b 100644
--- a/libavformat/oggparseflac.c
+++ b/libavformat/oggparseflac.c
@@ -40,7 +40,10 @@  flac_header (AVFormatContext * s, int idx)
     if (os->buf[os->pstart] == 0xff)
         return 0;
 
-    init_get_bits(&gb, os->buf + os->pstart, os->psize*8);
+    ret = init_get_bits8(&gb, os->buf + os->pstart, os->psize);
+    if (ret < 0)
+        return ret;
+
     skip_bits1(&gb); /* metadata_last */
     mdt = get_bits(&gb, 7);