From patchwork Fri Aug 27 06:50:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maryam Ebrahimzadeh X-Patchwork-Id: 29803 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp1186490iov; Thu, 26 Aug 2021 23:50:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcynLGOiNwmyOzJWorfH+XK6HrrrfFZySzNeuhxuk2i3Q3fs37W7UZuQ7tGaxyF973ZjDR X-Received: by 2002:a17:906:a044:: with SMTP id bg4mr8437223ejb.312.1630047052823; Thu, 26 Aug 2021 23:50:52 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id bq19si5181479edb.548.2021.08.26.23.50.52; Thu, 26 Aug 2021 23:50:52 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=RP5Zdwx9; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A05F568A3E8; Fri, 27 Aug 2021 09:50:48 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR04-DB3-obe.outbound.protection.outlook.com (unknown [40.92.74.10]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 39099689F2C for ; Fri, 27 Aug 2021 09:50:42 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ebpAhYTb+j5j2LFir9onz3fAVMjvI41NUNuYTKuNRgzb8SAM1s5g+MWr051YZ3FCIFAv0eYXw/Oq9jaGwRFcRekXWgl8df5EuO2pMKQmEYv60ZrtifMkl0fcSmO+atyXRv3YdbISUwZjAODnaOooA/BdEnAIglNDOPujDheMBpmJLjrABB1bm1v+c3SBW39iISxkhJRFMoCgu+rNikhBon+WOHIA6ncV9NcwmFUG5yBlh2YkdQZ+1B3PH5vTytLNthXuD82cmAU1yKni5W3DC9nW9ITLjeuFCsy4SDFvkIM/1cOAm1Ygz/MuV3PGBfO8Jgx8CPv+MuPwidzFcO9ozw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1zdNri2vGrOSqgeAErGBfrt/D9M77OrY13nqE338Q6Y=; b=WXUMuBa7fH/mEK2YrNotbz1TJoGV17buka6m4vufasS79KHBW9UOL2/MXKVJZhhrFw6QEO3KEoPXuaPwI3cc98lPKlOzi26AvS7HYm0ovE7pQtoNcKGOWKALFH+GoPdc2noCSRjzi9SpTqH1lt4FSeklqLesELUXYKpqAprmqb+daMo9IU4Yvq4oe92YQp6wuKisS5Nmh7UtRPVJ+I6McInop0ywcEANaGDxaIBMCPlrUqLMUoBlb/AaQbKAbqh2296SgkmoF4PIBJUL8CF4C/ejubPstd1FNwDlCE2Yjshijh8m44Exrdj9TeSHLfIWo4UZsq6BbM2yqOrfcnvyJQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1zdNri2vGrOSqgeAErGBfrt/D9M77OrY13nqE338Q6Y=; b=RP5Zdwx97QuCSHKg9iNcjCDuRMcnmgINbV+iTn+AY6Lr94NKNipX+f0toIRIyDaASh80YdKKLuReRRO8AiL0aTR0Eva0ASAfFdY0C4TaPbf9h9Zc0j0eWud8wt8XgooVR/SSSX5WIhBUEIFeiP4D++anFcSjhJkqM2suP60U+SJdnOZ8wdK3Jz3os+WQAahW08J/IFOCe6ITmmVUDBTxS23vcK+LwCMCOZdvvAJhGNOt5hKpSshcsQpCJ/tgK/nf5+u+gjWgeAEyGXyoiq1E0o/vJ7BeJ7ywv6kijFTByA8uaasf0+vHXAL8D1u4BHITVXInPnYGsoDH9CcaWKLaRA== Received: from VI1EUR04FT008.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0e::53) by VI1EUR04HT117.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0e::277) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17; Fri, 27 Aug 2021 06:50:40 +0000 Received: from PAXP193MB1262.EURP193.PROD.OUTLOOK.COM (2a01:111:e400:7e0e::46) by VI1EUR04FT008.mail.protection.outlook.com (2a01:111:e400:7e0e::406) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17 via Frontend Transport; Fri, 27 Aug 2021 06:50:40 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:865C80504155DF8BD13C63ED6A38C00BDC900B7547E806C4E70FBEF7F82D1546; UpperCasedChecksum:893E90D44DA1327F54CD927AD7F66D072AD24FFD6A77C0F8AFB382E287358533; SizeAsReceived:7191; Count:43 Received: from PAXP193MB1262.EURP193.PROD.OUTLOOK.COM ([fe80::6c91:6298:dcbf:4a3b]) by PAXP193MB1262.EURP193.PROD.OUTLOOK.COM ([fe80::6c91:6298:dcbf:4a3b%5]) with mapi id 15.20.4457.023; Fri, 27 Aug 2021 06:50:40 +0000 From: maryam ebrahimzadeh To: ffmpeg-devel@ffmpeg.org Date: Fri, 27 Aug 2021 02:50:27 -0400 Message-ID: X-Mailer: git-send-email 2.17.1 X-TMN: [O/2nCv6kkJhDeZQUoWrvbWCXSz8TfP/R] X-ClientProxiedBy: AM0PR06CA0140.eurprd06.prod.outlook.com (2603:10a6:208:ab::45) To PAXP193MB1262.EURP193.PROD.OUTLOOK.COM (2603:10a6:102:dc::5) X-Microsoft-Original-Message-ID: <20210827065027.3088-1-me22bee@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (2.191.135.98) by AM0PR06CA0140.eurprd06.prod.outlook.com (2603:10a6:208:ab::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.18 via Frontend Transport; Fri, 27 Aug 2021 06:50:39 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 43 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 6b05bc2f-46ab-429b-28b4-08d96926fb88 X-MS-TrafficTypeDiagnostic: VI1EUR04HT117: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /f4i2BCqcduKEvqNriBbBjSSP+9iCKZOEQIbRLr+5q+HupPnVDFlUktD8CsaiCFyqhGd/MzAFs+IUX+kAU9Uub9vyQHsIvwkIU/iN4Z3XRj8rmo5nIGVzjCNsqb68JOePZ8I30UKkXF4WrQbtW3pXLBPWlPo6bGHu7rwOxu74iU7vkJdF98B75Y/BgPPHH75hhhovVtf0flOq6s87xXx8JzpArvEFect2at6Zy0awfz+uvsqctAVeh0oO3sU/PVtHndiIv8KZh5nd38bx7qjDTeSvVD8gb1ozwZ5Q+Kz9UfozgM8xihwHyNU2DtQuoqkNzlYf/bmCn2FB9nTpBDkFuXsO+Z4vAgvfzzqXcFWoY89YKMJlhFmmOkphWAF7ijUQekHErqJE4b1KkLwIYQXEmUf2wBduQo4e3GEbWngAeqDLeiHWKYi9O1YZeSgeq5X X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: cjTotJq4WiL4kK+IvblULgtXBopiLmh0dsY+IOmLN9/tDUqfqQ229PHb+o5H/MRolwFQL07vAC5Ybyo5xWUvr7yFT1PF6uQYMXD8iX27jwRr0gQateCKhZLNk9EwkHGzv+PYvIe2UDmsCRFN+rmsZQ== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6b05bc2f-46ab-429b-28b4-08d96926fb88 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Aug 2021 06:50:40.3007 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: VI1EUR04FT008.eop-eur04.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1EUR04HT117 Subject: [FFmpeg-devel] [PATCH v2 1/1] avcodec/wmalosslessdec: return value check for init_get_bits X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 4sdBq/+Z2umw Similar to CVE-2021-38171 as the second argument for init_get_bits(avpkt and bu$ a return value check for this function call is necessary. Also replace init_get_bits with init_get_bits8. --- libavcodec/wmalosslessdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 74c91f4f7e..1173ef62c2 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1187,6 +1187,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, const uint8_t* buf = avpkt->data; int buf_size = avpkt->size; int num_bits_prev_frame, packet_sequence_number, spliced_packet; + int ret; s->frame->nb_samples = 0; @@ -1205,7 +1206,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, s->buf_bit_size = buf_size << 3; /* parse packet header */ - init_get_bits(gb, buf, s->buf_bit_size); + ret = init_get_bits8(gb, buf, buf_size); + if (ret < 0) + return ret; packet_sequence_number = get_bits(gb, 4); skip_bits(gb, 1); // Skip seekable_frame_in_packet, currently unused spliced_packet = get_bits1(gb); @@ -1256,7 +1259,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, int frame_size; s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; - init_get_bits(gb, avpkt->data, s->buf_bit_size); + init_get_bits8(gb, avpkt->data, (avpkt->size - s->next_packet_start)); + if (ret < 0) + return ret; skip_bits(gb, s->packet_offset); if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size &&