| Message ID | PAXP193MB1262B514ADC19022F139783FB6CB9@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,v2,1/1] avcodec/vble: Return value check for init_get_bits | expand |
| Context | Check | Description |
|---|---|---|
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
| andriy/make_ppc | success | Make finished |
| andriy/make_fate_ppc | success | Make fate finished |
maryam ebrahimzadeh: > avcodec/vble: Return value check for init_get_bits > > As the second argument for init_get_bits can be crafted, > a return value check for this function call is necessary. > So replace init_get_bits with init_get_bits8 and remove a duplicate check before > the callsite. > > --- > libavcodec/vble.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/vble.c b/libavcodec/vble.c > index f1400959e0..c1d3cdcc95 100644 > --- a/libavcodec/vble.c > +++ b/libavcodec/vble.c > @@ -127,7 +127,7 @@ static int vble_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, > int ret; > ThreadFrame frame = { .f = data }; > > - if (avpkt->size < 4 || avpkt->size - 4 > INT_MAX/8) { > + if (avpkt->size < 4) { > av_log(avctx, AV_LOG_ERROR, "Invalid packet size\n"); > return AVERROR_INVALIDDATA; > } > @@ -146,7 +146,9 @@ static int vble_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, > if (version != 1) > av_log(avctx, AV_LOG_WARNING, "Unsupported VBLE Version: %d\n", version); > > - init_get_bits(&gb, src + 4, (avpkt->size - 4) * 8); > + ret = init_get_bits8(&gb, src + 4, avpkt->size - 4); > + if (ret < 0) > + return ret; > > /* Unpack */ > if (vble_unpack(ctx, &gb) < 0) { > Checking before the callsite has the advantage of not trying to allocate a huge buffer that ends up unused. So instead of removing said check it should be fixed: get_bits.h should properly export the maximum supported buffer size and that should be checked at the beginning. - Andreas
On Aug 31, 2021, at 11:02 AM, Andreas Rheinhardt <andreas.rheinhardt@outlook.com<mailto:andreas.rheinhardt@outlook.com>> wrote: So instead of removing said check it In the previous version I didn’t remove it, but Paul B Mahol said remove the previous check. Here<https://patchwork.ffmpeg.org/project/ffmpeg/patch/PAXP193MB1262D52E9DD3F95090EA119AB6CB9@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM/#66445>
Ping. > On Sep 4, 2021, at 10:09 AM, Maryam Ebrahimzadeh <me22bee@outlook.com> wrote: > > > > On Aug 31, 2021, at 11:02 AM, Andreas Rheinhardt <andreas.rheinhardt@outlook.com<mailto:andreas.rheinhardt@outlook.com>> wrote: > > So instead of removing said check it > > In the previous version I didn’t remove it, but Paul B Mahol said remove the previous check. > Here<https://patchwork.ffmpeg.org/project/ffmpeg/patch/PAXP193MB1262D52E9DD3F95090EA119AB6CB9@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM/#66445> > > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavcodec/vble.c b/libavcodec/vble.c index f1400959e0..c1d3cdcc95 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -127,7 +127,7 @@ static int vble_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret; ThreadFrame frame = { .f = data }; - if (avpkt->size < 4 || avpkt->size - 4 > INT_MAX/8) { + if (avpkt->size < 4) { av_log(avctx, AV_LOG_ERROR, "Invalid packet size\n"); return AVERROR_INVALIDDATA; } @@ -146,7 +146,9 @@ static int vble_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (version != 1) av_log(avctx, AV_LOG_WARNING, "Unsupported VBLE Version: %d\n", version); - init_get_bits(&gb, src + 4, (avpkt->size - 4) * 8); + ret = init_get_bits8(&gb, src + 4, avpkt->size - 4); + if (ret < 0) + return ret; /* Unpack */ if (vble_unpack(ctx, &gb) < 0) {