From patchwork Sat Aug 28 19:23:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maryam Ebrahimzadeh X-Patchwork-Id: 29843 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp2575338iov; Sat, 28 Aug 2021 12:23:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxMLgkXUXoB+BEmyRjQ3dEmHt+OIFv3jGfI5Zadw71Dj6AXkxVWONTddOUxST1se2r3p6Uu X-Received: by 2002:a17:906:417:: with SMTP id d23mr16063490eja.383.1630178621544; Sat, 28 Aug 2021 12:23:41 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id kl17si10343006ejc.507.2021.08.28.12.23.40; Sat, 28 Aug 2021 12:23:41 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b="s/ckIZh9"; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E783568A498; Sat, 28 Aug 2021 22:23:36 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05olkn2086.outbound.protection.outlook.com [40.92.90.86]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C95B7689738 for ; Sat, 28 Aug 2021 22:23:29 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LBcqM8LdFjeTMZCO8awPjHRXHmoGBUfqc/cWTMMR9Ou2bPpvb7llponM3vOCkjYrGx9VfMHbJ53p4rq4Wt/U2M1D6Am+a8MGb/DBFpWp3M7lphxNJwsP+JgFereuffVoGDgZZ0fh84r6SZ0uCUv3YFR//hsO/uvv8ExP5qV9lfRfZCN4HZQzig/8IDZwGEVxDnNA9GiFXEehCBGFAkKVLPEw9oQ3E8J13NaqiYpetJAR47/1NbAasxPBpRDUuYbZ8bhOv+9jWYLDpcyvsK/heelVui7oW3WFShKOlxWJGgzrlZoseMmPbsDr7kXIm7go9vAr8sSrYoY1WeXibmhLYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qLBRKvr/4baVwQA3dKpqYUjkm8hQKipKtamVuw8FOTE=; b=BcL270ng/sD4uLMYtlPOmEXsiXCu3Dse2blDy5PLbjxBVhH25L22csowRkoBkEllm452ONPsP0xi0mS+mehM7lCB1eFZ4C6ynwACPY9HqRmOAYKmydy5oWU6qxQynRRTFiNU09NExOmk3/u+fV+sxE26gXOXw9AQlS/i/fGVQ2OjdPQ0if9mPXdaz5k27TpFhBgx0nlJwROBOljuxsBZJ8GoECWzo1hJeBpmjGsPaY6R7MxkM0CZLr1H2RQ/6z8TTHfnn919b9RSRuP6q9i+BKoBYmN36GpcBHP2tQqE2yE2nVwvXJYhjuBlENaauvOr+Wv9RdtMnKv01aDN3jCEzA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qLBRKvr/4baVwQA3dKpqYUjkm8hQKipKtamVuw8FOTE=; b=s/ckIZh9v7D3LyD7vNboWyMIsyejaHEpmD7iM2X33pr9i1DWs6etaHqZ8uCaOajloJQYMJh8C2BhvX0nmKSGRv7O2RJ144ECNXAcO1UT4hCE4bUxCMhRyEudzwr6dT9FCT0ElmBCpNXKQFsDkq3z5lGpDdJvwwti+PVp3t1RoPjweekkxG6tQGLfo3kz4/ni0oPtaw+vgxXyjNECY5IpEKIqBcddWFy7f3rVXSJNTEGrlijIJfJ/fFljRS+38mLmgC+v440Ll+kCPj5+KcEOL07i6u4JTIeZdB8R8PI2yRUd0pTmfsIy5TXi0hea2qILjYpE16mBW34CgWXToQ3MgA== Received: from AM6EUR05FT021.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc11::43) by AM6EUR05HT238.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc11::364) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17; Sat, 28 Aug 2021 19:23:28 +0000 Received: from PAXP193MB1262.EURP193.PROD.OUTLOOK.COM (2a01:111:e400:fc11::52) by AM6EUR05FT021.mail.protection.outlook.com (2a01:111:e400:fc11::237) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17 via Frontend Transport; Sat, 28 Aug 2021 19:23:28 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:709F758C9518F3B0FC87A0D4F3767938C1D34D5F63E085515ED41261372733A0; UpperCasedChecksum:B7AA00DC4AA6137C0580346628AD0F4E0232BE275BAECDA263B21E230E6EE3AB; SizeAsReceived:7194; Count:43 Received: from PAXP193MB1262.EURP193.PROD.OUTLOOK.COM ([fe80::6c91:6298:dcbf:4a3b]) by PAXP193MB1262.EURP193.PROD.OUTLOOK.COM ([fe80::6c91:6298:dcbf:4a3b%5]) with mapi id 15.20.4457.023; Sat, 28 Aug 2021 19:23:28 +0000 From: maryam ebrahimzadeh To: ffmpeg-devel@ffmpeg.org Date: Sat, 28 Aug 2021 15:23:14 -0400 Message-ID: X-Mailer: git-send-email 2.17.1 X-TMN: [e+/HK/XnBnhAz8tlTe4GAHbGSp7a0+F8] X-ClientProxiedBy: AM0PR02CA0077.eurprd02.prod.outlook.com (2603:10a6:208:154::18) To PAXP193MB1262.EURP193.PROD.OUTLOOK.COM (2603:10a6:102:dc::5) X-Microsoft-Original-Message-ID: <20210828192314.2424-1-me22bee@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (2.191.135.98) by AM0PR02CA0077.eurprd02.prod.outlook.com (2603:10a6:208:154::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.23 via Frontend Transport; Sat, 28 Aug 2021 19:23:27 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 43 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: c0b57e26-a038-47d6-a7ea-08d96a594ff8 X-MS-TrafficTypeDiagnostic: AM6EUR05HT238: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nJxnbYKN9IsSFsxb1vRW/PHCJ+Gwf3FxJgo7ak4EwEWJ2T/mqhM2MwRpc8MHTKpwOfBe0VdwgaaNdYP6w7EUZ8zEJbDy86CEVFmPx4S4LkzXMOLcKwJzgpV0ye/1YsfksT2k7KQE6gFjt9KDg6B2wsvNQHpMW6/GvMLcN20NoLPJQnl3qH0rR477ccPnkFhLatetoXmJchrL6d5hnHbU8kClhVRI8F/ezj/49iC+ChWEbsskodzVIN2Aa5rIa7wNeS+hhhB4MnHS5UOu++8hanGuqj/DbMFHItAyzeLqVN/cYL4OAESp/8N5rZO2/nKTpBJW6iubC9LWNJ/x/NQDKlhkTyDIbIehISmvJqCVBu/Er+2kg2SUbDEGMLnG3+XkBD9XCZNt4A8q24j3Svel+jBC2BwCBS5K9DtoSLfR8kYsQmLjGSXF37O9SyyfEErb X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GeWPi45XGAAjasksuLq5+LV8XXVxGjIHvtdFrm0A6u2cy2tuIfqyOdcbu3l+KPD16mO06gTASaSRXqt3YM8aOZcF/lw3dXCy/xix2gYfQTaxw/v7VbXIhwdZl17qNqc6fbft0ZsBqrq0XW3FyM17gA== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c0b57e26-a038-47d6-a7ea-08d96a594ff8 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Aug 2021 19:23:27.9460 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: AM6EUR05FT021.eop-eur05.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6EUR05HT238 Subject: [FFmpeg-devel] [PATCH v3 1/1] avcodec/wmalosslessdec: Return value check for init_get_bits X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Hruv7mVVn49P avcodec/wmalosslessdec: Return value check for init_get_bits Similar to CVE-2021-38171 as the second argument for init_get_bits(avpkt and buf) can be crafted, a return value check for this function call is necessary. Also replace init_get_bits with init_get_bits8. --- libavcodec/wmalosslessdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 74c91f4f7e..9de60b61c3 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1187,6 +1187,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, const uint8_t* buf = avpkt->data; int buf_size = avpkt->size; int num_bits_prev_frame, packet_sequence_number, spliced_packet; + int ret; s->frame->nb_samples = 0; @@ -1205,7 +1206,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, s->buf_bit_size = buf_size << 3; /* parse packet header */ - init_get_bits(gb, buf, s->buf_bit_size); + ret = init_get_bits8(gb, buf, buf_size); + if (ret < 0) + return ret; packet_sequence_number = get_bits(gb, 4); skip_bits(gb, 1); // Skip seekable_frame_in_packet, currently unused spliced_packet = get_bits1(gb); @@ -1256,7 +1259,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, int frame_size; s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; - init_get_bits(gb, avpkt->data, s->buf_bit_size); + ret = init_get_bits8(gb, avpkt->data, (avpkt->size - s->next_packet_start)); + if (ret < 0) + return ret; skip_bits(gb, s->packet_offset); if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size &&