| Message ID | 84531d48-b0f2-07d4-57fc-7f972d49574f@googlemail.com |
|---|---|
| State | Accepted |
| Commit | 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1 |
| Headers | show |
On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: > This fixes out-of-bounds reads by the bitstream reader. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavcodec/interplayacm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c > index 0486e00..f4a3446 100644 > --- a/libavcodec/interplayacm.c > +++ b/libavcodec/interplayacm.c > @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx) > s->block = av_calloc(s->block_len, sizeof(int)); > s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); > s->ampbuf = av_calloc(0x10000, sizeof(int)); > - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); > + s->bitstream = av_calloc(s->max_framesize + > AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, How did you came up with this fix? Little background would help. > sizeof(*s->bitstream)); > if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream) > return AVERROR(ENOMEM); > > -- > 2.10.1 > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >
On 30.10.2016 22:18, Paul B Mahol wrote: > On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: >> This fixes out-of-bounds reads by the bitstream reader. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/interplayacm.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c >> index 0486e00..f4a3446 100644 >> --- a/libavcodec/interplayacm.c >> +++ b/libavcodec/interplayacm.c >> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx) >> s->block = av_calloc(s->block_len, sizeof(int)); >> s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); >> s->ampbuf = av_calloc(0x10000, sizeof(int)); >> - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); >> + s->bitstream = av_calloc(s->max_framesize + >> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, > > How did you came up with this fix? > Little background would help. The out-of-bounds read happens in get_bits called from linear. The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index]. The get_bits documentation says: /** * Initialize GetBitContext. * @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE bytes * larger than the actual read bits because some optimized bitstream * readers read 32 or 64 bit at once and could read over the end * @param byte_size the size of the buffer in bytes * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow. */ static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer, int byte_size) Increasing the buffer size fixed the problem, so the case seems quite clear. Best regards, Andreas
On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: > On 30.10.2016 22:18, Paul B Mahol wrote: >> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: >>> This fixes out-of-bounds reads by the bitstream reader. >>> >>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >>> --- >>> libavcodec/interplayacm.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c >>> index 0486e00..f4a3446 100644 >>> --- a/libavcodec/interplayacm.c >>> +++ b/libavcodec/interplayacm.c >>> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx) >>> s->block = av_calloc(s->block_len, sizeof(int)); >>> s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); >>> s->ampbuf = av_calloc(0x10000, sizeof(int)); >>> - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); >>> + s->bitstream = av_calloc(s->max_framesize + >>> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, >> >> How did you came up with this fix? >> Little background would help. > > The out-of-bounds read happens in get_bits called from linear. > The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index]. > The get_bits documentation says: > /** > * Initialize GetBitContext. > * @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE > bytes > * larger than the actual read bits because some optimized bitstream > * readers read 32 or 64 bit at once and could read over the end > * @param byte_size the size of the buffer in bytes > * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would > overflow. > */ > static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer, > int byte_size) > > Increasing the buffer size fixed the problem, so the case seems quite clear. > > Best regards, > Andreas > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > ok
On 31.10.2016 08:33, Paul B Mahol wrote: > On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: >> On 30.10.2016 22:18, Paul B Mahol wrote: >>> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> wrote: >>>> This fixes out-of-bounds reads by the bitstream reader. >>>> >>>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >>>> --- >>>> libavcodec/interplayacm.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c >>>> index 0486e00..f4a3446 100644 >>>> --- a/libavcodec/interplayacm.c >>>> +++ b/libavcodec/interplayacm.c >>>> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx) >>>> s->block = av_calloc(s->block_len, sizeof(int)); >>>> s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); >>>> s->ampbuf = av_calloc(0x10000, sizeof(int)); >>>> - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); >>>> + s->bitstream = av_calloc(s->max_framesize + >>>> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, >>> >>> How did you came up with this fix? >>> Little background would help. >> >> The out-of-bounds read happens in get_bits called from linear. >> The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index]. >> The get_bits documentation says: >> /** >> * Initialize GetBitContext. >> * @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE >> bytes >> * larger than the actual read bits because some optimized bitstream >> * readers read 32 or 64 bit at once and could read over the end >> * @param byte_size the size of the buffer in bytes >> * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would >> overflow. >> */ >> static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer, >> int byte_size) >> >> Increasing the buffer size fixed the problem, so the case seems quite clear. >> >> Best regards, >> Andreas >> _______________________________________________ >> ffmpeg-devel mailing list >> ffmpeg-devel@ffmpeg.org >> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> > > ok Pushed. Best regards, Andreas
diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 0486e00..f4a3446 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->block = av_calloc(s->block_len, sizeof(int)); s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int)); s->ampbuf = av_calloc(0x10000, sizeof(int)); - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream)); + s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream)); if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream) return AVERROR(ENOMEM);
This fixes out-of-bounds reads by the bitstream reader. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/interplayacm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)