From patchwork Sun May 12 00:03:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48799 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1706:b0:1af:cdee:28c5 with SMTP id nv6csp348168pzb; Sat, 11 May 2024 17:04:41 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWqCt0Nks8zy72MQ/lDcnjvPsJUUsXXqfRf29j3nb+UbY4q6KE3Z3kaBHqu9eBciZGrZ0UCs4BoTxO3CG9QMV3f+sGFLOutOXESyA== X-Google-Smtp-Source: AGHT+IG8gM0hwFbIPCk9zmA445cTEGgqKAPOZovOnVbMdw2uyEEdLz9sSjfXmiSxmkoTHtF1Nk0h X-Received: by 2002:a17:906:17c5:b0:a59:c9ad:bd26 with SMTP id a640c23a62f3a-a5a2d54c601mr383180366b.12.1715472281357; Sat, 11 May 2024 17:04:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715472281; cv=none; d=google.com; s=arc-20160816; b=UN9ZoGRAZrLFRhp68FWOUQe56UtFXsV8apEpsfEaMXQrRUGlLHZrs3PMMIFnnaqEEA HsbXQTUEVGQYYLORB/evi/G+JMmL1o9zjvQrP4q93kZC+RkVpQHSkeudKKJmbCEeDIcJ /i+uSzUHiZ6cpRMPCbLWfjsXSZvaTsgvbgjO+5Uj/KEo9ztM5lpSiWVx2Bq1yZ4SYyCy n4WjmXBodvWsyDc7W8qeskvLO+/9Mqeav/CL1smKgkdJK7dyViWlbw4r/7k7xjc6VTT0 6v7DFD/gUm6ei8/bFWHxDv7K4uaU5cBt4wAnWUUYTyHt3XReR53D/XWAkATyOkJWY/tI sKPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=qyHMnz7u5ZUdhYLQdqfW+UfVk4G2MFGJy50gcdyHnqc=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=Nplhp4lTg0CzoMIf655szs6qEsdy/Ae/qEP70OSB4pL0Adhn9eLaa+qOqhDaNWtJEA WMYKT47NU9coBz36tn7V0eteB3QB7x0LQpmH6CVMY7ANu/D1hDq612guz1Gpzb+nzBL8 nw9mA2A6zkdqkjq2p4ud14Od7oDRFq/G4OMPsITmtmfsMafuyjWmU5Qqd2jp4bDVWsfw lgPdMZDjSCHwJ7uhBFUxWLymopy1h0IM5Rkf+YgDaKJAoUtzo44aVENFVbgdPwdzs5Y3 bXvPLPB3C1j5PUrggK1E6qI33eoOnhZf+k1mOBJntK2i6/XwfvA38ZnRSpiyaPEUapyJ O+sA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=nVO1jwCH; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a5a17ba2a18si356894666b.506.2024.05.11.17.04.40; Sat, 11 May 2024 17:04:41 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=nVO1jwCH; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 67EEA68D6A6; Sun, 12 May 2024 03:04:03 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3D18868D611 for ; Sun, 12 May 2024 03:03:55 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 7431060002 for ; Sun, 12 May 2024 00:03:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1715472234; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zieAXoFSOQwCQA8mwTVradi4tq3141pc87eLbiqgJ6k=; b=nVO1jwCHnTajTMhnULDp6e0O34iW1ItIM3cCXHc2JwC1C8JnvRKEM7H/gJDSZTO6HeB8Sv fo1x/KFaZnq1G/yyPzaHi3lk+omezN8sl1ycLg6Wxte39th5udQgUEZEoG1dtoahRNaUgo CgegTA7t74r7EX51MFQOqCRQEbkU75WWFU4wiJdtBLN1CubPSOPWizUjce/kazutbh+p5f TfpEh9Vl6w3cX0xHUgBHLDpvyQZfVsf6UGzBEBka7khgNbLPSFsj+LTZKjEx2YChGYKckx agVaMgF1XyR2XY6KVTs43sJTlvGeXOlTTXIGRCUs3PwsiE/Y91gL6QOYn81lIw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 12 May 2024 02:03:49 +0200 Message-ID: <20240512000349.3381912-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240512000349.3381912-1-michael@niedermayer.cc> References: <20240512000349.3381912-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 5/5] avcodec/mscc & mwsc: Check loop counts before use X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: TSp9ujyxVR7t This could cause timeouts Fixes: CID1439568 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 6 ++++++ libavcodec/mwsc.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index 39bfad0b989..0c11fa08a24 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -54,6 +54,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -102,6 +105,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index 06a151a72af..0d4ee9791ad 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -51,6 +51,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -62,6 +66,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -73,6 +81,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0;