From patchwork Thu Jun 21 03:46:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xiao Yang X-Patchwork-Id: 9453 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:11c:0:0:0:0:0 with SMTP id c28-v6csp1507412jad; Wed, 20 Jun 2018 20:47:07 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIbpigiPLPJjdiMj2b/ekhMO45cy5NJFd+/cZfCAyvRsP0J/6eKy3OfbHWdDalCyJ+FJMfZ X-Received: by 2002:a1c:6d2:: with SMTP id 201-v6mr3422088wmg.47.1529552827471; Wed, 20 Jun 2018 20:47:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529552827; cv=none; d=google.com; s=arc-20160816; b=rbSEweHVnoSh1QJ2iWlf+QhurbtpNuPtYgq2s0Htm0pDPUkTcdcxnnKAv+a/MlCvwJ T77CbIxP+OstP5EigbGvMh7NSL3DZAYOQKp8T4fNFsh+UodklnJiioIdnAZvB3vRwsl1 O53S0w+eiK10H9za1I8rqdjQUgtu5D1gnblFngQZJw4i6LozMOK5v0FEvy/KHU+4CaKb 07O/qShLewoK092oTXj8lYFZOEhRXqZ0DjFfz30BXZKPYCp7SfdRdTge52mSJG+jNnmX 7GjE0otbZyzRO0abKU1Mfa58Hc7lLDKWdIJShzK+Js7lW+7j28FqG2cEuganQpm/tjPG E6WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:content-language :accept-language:message-id:date:thread-index:thread-topic:to:from :dkim-signature:delivered-to:arc-authentication-results; bh=Ab2y5z/Yv27aiEU2XiurbD81pRb+y1TGpKHCB+h1zy0=; b=Wosl05HQWTvR5JVsl8gX4/SiW2x9OEyXjETK8s88xTd/HcwRSzRemexCSvjLuNiF8w LQaxQYr03DbdAq4PjtQhHEpboWS2SZ3/RsXdYjdVx/V5FRMzVlpz0uW+YYwONYDHuqWO NjjlnuZbBmLDUwc2t1ccsS+gQkk32/UWfRlToYdbYvhNX9OtJKsKDSXj1ZiyluF9iq36 DQ+xDWrviyuyYsNn9yGoEsgamwsnq2faRsussHrGLpgrhNjLoBHX2g1gxyayfOHd6dvg MJayOt//+LYt95jJw6osU7nVj7QxGN0Vinc6dol4tQSLg6huNtxzmJOwpARYMPvFXWM0 qe1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@hotmail.com header.s=selector1 header.b=TDlf+49U; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=hotmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f206-v6si3497723wme.27.2018.06.20.20.47.05; Wed, 20 Jun 2018 20:47:07 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@hotmail.com header.s=selector1 header.b=TDlf+49U; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=hotmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 489B468A316; Thu, 21 Jun 2018 06:46:10 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-oln040092255036.outbound.protection.outlook.com [40.92.255.36]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E2D56689AC9 for ; Thu, 21 Jun 2018 06:46:02 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hmbrLcab5IiP6GMt7ZybYbDmkiNXpOWtsm5CUapXHMc=; b=TDlf+49UnS5Jkj4WjaiyuL8X8Uryj8H6ffRGar0GaU2adxEljzk3pEMmCF0UR7rKpOISrzRB+khMaeqOkE+JFpVqlOUmH+nqKYO41xk3C+BlY/uYoL0ItpFHP6PK2VC9xU0tpeo9x1X4FJLIoNH+UuvBKxWZSTZpq5Ea3whSBJ7tONS79VWXv3P9fdm+Cxo3b14ZP9aXtn3yM+zpco0eSHDHF0QKs/dkZ/t/hVy4g/HWXQ5bkafe53ye8dc/hzJi/lhnTZgP8Kn9zpLpgQyM9pPvD10y6IxyNPcMkMPqBYWoD82rAZklC22oBXBnXMrNpPudiUgchpE7UYG27hp6zQ== Received: from PU1APC01FT111.eop-APC01.prod.protection.outlook.com (10.152.252.51) by PU1APC01HT167.eop-APC01.prod.protection.outlook.com (10.152.253.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.884.17; Thu, 21 Jun 2018 03:46:52 +0000 Received: from SIXPR01MB0560.apcprd01.prod.exchangelabs.com (10.152.252.60) by PU1APC01FT111.mail.protection.outlook.com (10.152.252.236) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.884.17 via Frontend Transport; Thu, 21 Jun 2018 03:46:52 +0000 Received: from SIXPR01MB0560.apcprd01.prod.exchangelabs.com ([fe80::a40e:4f4b:9fc9:613e]) by SIXPR01MB0560.apcprd01.prod.exchangelabs.com ([fe80::a40e:4f4b:9fc9:613e%4]) with mapi id 15.20.0863.016; Thu, 21 Jun 2018 03:46:52 +0000 From: Xiao Yang To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH] rpza: fix the bounds check Thread-Index: AQHUCRJ97XNdtmIUPUuyqCqiVIg6Zg== Date: Thu, 21 Jun 2018 03:46:52 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: HK0P153CA0032.APCP153.PROD.OUTLOOK.COM (52.133.155.20) To SIXPR01MB0560.apcprd01.prod.exchangelabs.com (10.160.241.145) x-incomingtopheadermarker: OriginalChecksum:25622FF545093994F94FF0A9AE8A86DC79FAB10536EA9E3E562C7B422990B398; UpperCasedChecksum:49BD8B897E0742197DD1349456250086D5DFB558EDD55591E85C03226E5E5F27; SizeAsReceived:7329; Count:48 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [L3gJhL4nQuwBSAjUQjcXKpTqcK6mMI9HqSKDE7zn07o=] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; PU1APC01HT167; 7:9oRl68Uy6cUGjaY4nIXQc7PBURFvBvaRpb15Ts4wHPBbaCcHIzxCMlqowOoRH6tTtSu/ABaA9HXGbnBKLVSpSPP17WtytrsRy7M1W9pXgTIwfhrVF1Yg1KdM8SJHpoTEW5Jq5s+mLsCbqeVqKO+rwNvsHmTvT3sS3MhmIPbxG1WyLDrv+dM2o7KnkpKVfUA7FBXxG08FukxRjQA1Xo6iQqVpaDBiIqi9dqQUeheeAtihVrFG/7bWJKI/cNBSxn6T x-incomingheadercount: 48 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(201702181274)(2017031322404)(1601125500)(1603101448)(1701031045); SRVR:PU1APC01HT167; x-ms-exchange-slblob-mailprops: GssZB4ItXy8JtdeACJDI9R0GXfysc/O2ys0XB/+cEX3GZljOVxKO2IdQtFpHzfhtSRjxImTlHrj4PAJR6JpQnYXabc6WEAw5fTEtLkob/RV8VNvexUVjIvBcIrBOWzETORRFcjGamwOjfRNK03v4N4PM3PZpgI8lnR9UMN6lS17HikXbViLEhDjFYU0vjj9Su7Nuur5Oua2lHLuImggDX7pbC/7qF4zluqw2FL3l9zOax4L/+9jlB/PuZGxui8/2+RUPvZCg3zz/rFUHb1jC5tagzS3RG3jfOCNrducVxKyBgD+s1iSceLL9ZkHyJj1ag7PczjW1pxXt8lF5ubYjizdL4Xh5AxpySzHA0L/QaGm80EIJRr7pFn62w8vQIGiY9Sy2Zu/kvJdxv0lA+TUI8CPk3C1Ie19AjZObgwr3V6Bz1wyTygzganaZai5c4dzFewjhrRkHx1Xzpq83E0AC6eLnMtmpf28BQDFQD2+W0anTXNyf8uhdKznuBlsdEXqX5efLzwdQNHo9hNknMrVaPjvhoxTomhwHG7q1fd0Mk+qCnNO8la/+SAdrT/GsnNJN1GfwyvDjKRwSs9kzG+VEn0t+xzmzbc//XsrpXdJnj+UYoXWGc5tobXgOx7xxW0YfgKAJ22BI7Ao= x-ms-traffictypediagnostic: PU1APC01HT167: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:PU1APC01HT167; BCL:0; PCL:0; RULEID:; SRVR:PU1APC01HT167; x-forefront-prvs: 07106EF9B9 x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(199004)(189003)(7696005)(102836004)(2351001)(305945005)(104016004)(6506007)(386003)(74316002)(59450400001)(87572001)(106356001)(105586002)(68736007)(83332001)(3280700002)(3660700001)(54906003)(39060400002)(14454004)(55016002)(97736004)(6436002)(25786009)(1857600001)(5640700003)(2501003)(26005)(72206003)(86362001)(486006)(5250100002)(2900100001)(476003)(33656002)(6346003)(73972006)(81156014)(82202002)(8676002)(6916009)(4326008)(99286004)(8936002)(20460500001)(5660300001)(9686003)(15852004)(309714004); DIR:OUT; SFP:1901; SCL:1; SRVR:PU1APC01HT167; H:SIXPR01MB0560.apcprd01.prod.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:; received-spf: None (protection.outlook.com: hotmail.com does not designate permitted sender hosts) authentication-results: spf=none (sender IP is ) smtp.mailfrom=YangX92@hotmail.com; x-microsoft-antispam-message-info: r2EA6drpUyc/MfIAfdDZDn5w9bEpZJh37zBzY2mVaPKwHrYXItTHXc7ch+Q2q3vx+xKeheWWhZLsw/SeJii5g8f3UI1bUX2VoC78OPrd3xVcn/97KZHqkzWmBwXVxpAY1ExoID0yBD3YnsuPW2XWJ4n4K8LY/9lmEHzcl63IpSl8mfBHi2Oh7fwkAD7Rlw0A MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: c001924d-3e68-4f40-89c2-901a49278da7 X-MS-Exchange-CrossTenant-Network-Message-Id: cf59e885-9458-404c-a9de-08d5d7299f42 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: c001924d-3e68-4f40-89c2-901a49278da7 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2018 03:46:52.2771 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT167 Subject: [FFmpeg-devel] [PATCH] rpza: fix the bounds check X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Xiao Yang , "libav-stable@libav.org" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes invalid writes when there are more blocks in a run than total remaining blocks (see CVE-2014-8548) --- libavcodec/rpza.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index b71ebd1..7cb6b89 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -68,6 +68,11 @@ typedef struct RpzaContext { row_ptr += stride * 4; \ } \ total_blocks--; \ + if (total_blocks < !!n_blocks) \ + { \ + av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ + return; \ + } \ } static int rpza_decode_stream(RpzaContext *s)