From patchwork Tue Mar 26 12:38:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Carl Eugen Hoyos X-Patchwork-Id: 12454 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 684C6446F35 for ; Tue, 26 Mar 2019 14:38:23 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5133068A737; Tue, 26 Mar 2019 14:38:23 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B322268A5F3 for ; Tue, 26 Mar 2019 14:38:16 +0200 (EET) Received: by mail-io1-f44.google.com with SMTP id d201so10600604iof.7 for ; Tue, 26 Mar 2019 05:38:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=RlaYkfsgDx8fvV4mnfRT1Y3p68e67lpFsqqr3BTKKks=; b=a0jvY4WCRVRhcfosaIkGxNHkJ7DvUhYbKFtil5PS6MBceQA3Zc4xcc9A2XxP7MGi3T pqwMRlTWXuFQ6z6wsitkWLqMSbk3xjocLecvRAaw7nnhJ0aWti9j4JJOI5UIptesfNMs Npe9RJWVXQ9ntHEZqTAaJDZcz2TveAa2dzLlRQnyML5PfITmVScas4aUaEKuotNO08mX h4z8lzWhtlVB82X7cawiuCWptpQRqEXm1wqtY6GZRm1SYhLYYHy3Ci3oOjV5+d6RZepi DawUTGvDxkqP3nirjoetB6k3Le9QQqIH0E6G5ynVQYavMrkWWGKFcWZl/AEUWsO9oKV0 U6RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=RlaYkfsgDx8fvV4mnfRT1Y3p68e67lpFsqqr3BTKKks=; b=YfS7bYhCzXwfkxkxPQI2YdlJZpWwr71upvEheToqCg3TZ+rxmPpGv6RGnQ+rRPIFRX q09WfY91vxwpQbQydJIwbJSmmcBSdlogEJddNTG9M7YmYjguX69CxTXOGvU5BsmlLYSO vSZjGUdmIWb8rxO0KhtFlmVjp1sNheTasPftSCA6aFdUAN9DIOkOE5z7gvEfhZlVMX+n h8lVIaRbGW/HOrOjyv8JnnOwxcL7QbjdWPUwqWG3kQJ2Gt4f35fV5yVCnQp2ZLzKdO4v 9xly67tIDw7aQf4xXf6MoZRq57/Gy1LixTwkNuSS6O0bR34RFYB/uaUH4stLWZEeVuX2 1QqA== X-Gm-Message-State: APjAAAWYduohWYkcWfNR9h6kHXlXkbbj7eTkxi2ZqPlQLC7awsaXJyCT 4HvE8HIx0yndty3c3Zv6nwBqA0x6DhWDGkf3MWhG7w== X-Google-Smtp-Source: APXvYqyif1n0Fbtkld7jkya4fHYH8Vj6RK60HGZQ6LJY5TT+RpWutnYO2zmMXZTO0+G8ock1GmhpKUhsu7Z5WOkXzpI= X-Received: by 2002:a6b:7401:: with SMTP id s1mr15256308iog.55.1553603895148; Tue, 26 Mar 2019 05:38:15 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:5503:0:0:0:0:0 with HTTP; Tue, 26 Mar 2019 05:38:14 -0700 (PDT) From: Carl Eugen Hoyos Date: Tue, 26 Mar 2019 13:38:14 +0100 Message-ID: To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH]lavc/bmp: Avoid a heap buffer overwrite for 1bpp X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Hi! Attached patch intends to fix a buffer overwrite reported today. Please comment, Carl Eugen From bd0dfa740f879eca6b13bb841e3b8d37718460ea Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 26 Mar 2019 13:32:11 +0100 Subject: [PATCH] lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. Found by Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University. --- libavcodec/bmp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index 65d239e..40010ac 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -291,7 +291,7 @@ static int bmp_decode_frame(AVCodecContext *avctx, case 1: for (i = 0; i < avctx->height; i++) { int j; - for (j = 0; j < n; j++) { + for (j = 0; j < avctx->width >> 3; j++) { ptr[j*8+0] = buf[j] >> 7; ptr[j*8+1] = (buf[j] >> 6) & 1; ptr[j*8+2] = (buf[j] >> 5) & 1; @@ -301,6 +301,9 @@ static int bmp_decode_frame(AVCodecContext *avctx, ptr[j*8+6] = (buf[j] >> 1) & 1; ptr[j*8+7] = buf[j] & 1; } + for (j = 0; j < (avctx->width & 7); j++) { + ptr[avctx->width - (avctx->width & 7) + j] = buf[avctx->width >> 3] >> (7 - j) & 1; + } buf += n; ptr += linesize; } -- 1.7.10.4