Message ID | PAXP193MB1262C64C06F9D9357D7A5F00B6C89@PAXP193MB1262.EURP193.PROD.OUTLOOK.COM |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,v2,1/1] avcodec/wmalosslessdec: return value check for init_get_bits | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
On Fri, Aug 27, 2021 at 8:50 AM maryam ebrahimzadeh <me22bee@outlook.com> wrote: > Similar to CVE-2021-38171 as the second argument for init_get_bits(avpkt > and bu$ > a return value check for this function call is necessary. > Also replace init_get_bits with init_get_bits8. > > --- > libavcodec/wmalosslessdec.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c > index 74c91f4f7e..1173ef62c2 100644 > --- a/libavcodec/wmalosslessdec.c > +++ b/libavcodec/wmalosslessdec.c > @@ -1187,6 +1187,7 @@ static int decode_packet(AVCodecContext *avctx, void > *data, int *got_frame_ptr, > const uint8_t* buf = avpkt->data; > int buf_size = avpkt->size; > int num_bits_prev_frame, packet_sequence_number, spliced_packet; > + int ret; > > s->frame->nb_samples = 0; > > @@ -1205,7 +1206,9 @@ static int decode_packet(AVCodecContext *avctx, void > *data, int *got_frame_ptr, > s->buf_bit_size = buf_size << 3; > > /* parse packet header */ > - init_get_bits(gb, buf, s->buf_bit_size); > + ret = init_get_bits8(gb, buf, buf_size); > + if (ret < 0) > + return ret; > packet_sequence_number = get_bits(gb, 4); > skip_bits(gb, 1); // Skip seekable_frame_in_packet, currently > unused > spliced_packet = get_bits1(gb); > @@ -1256,7 +1259,9 @@ static int decode_packet(AVCodecContext *avctx, void > *data, int *got_frame_ptr, > int frame_size; > > s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; > - init_get_bits(gb, avpkt->data, s->buf_bit_size); > + init_get_bits8(gb, avpkt->data, (avpkt->size - > s->next_packet_start)); > Not using return value here. This patch needs much more work. > + if (ret < 0) > + return ret; > skip_bits(gb, s->packet_offset); > > if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size && > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 74c91f4f7e..1173ef62c2 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1187,6 +1187,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, const uint8_t* buf = avpkt->data; int buf_size = avpkt->size; int num_bits_prev_frame, packet_sequence_number, spliced_packet; + int ret; s->frame->nb_samples = 0; @@ -1205,7 +1206,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, s->buf_bit_size = buf_size << 3; /* parse packet header */ - init_get_bits(gb, buf, s->buf_bit_size); + ret = init_get_bits8(gb, buf, buf_size); + if (ret < 0) + return ret; packet_sequence_number = get_bits(gb, 4); skip_bits(gb, 1); // Skip seekable_frame_in_packet, currently unused spliced_packet = get_bits1(gb); @@ -1256,7 +1259,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, int frame_size; s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; - init_get_bits(gb, avpkt->data, s->buf_bit_size); + init_get_bits8(gb, avpkt->data, (avpkt->size - s->next_packet_start)); + if (ret < 0) + return ret; skip_bits(gb, s->packet_offset); if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size &&