From patchwork Sun Oct 30 19:50:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1235 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp59640vsb; Sun, 30 Oct 2016 12:50:37 -0700 (PDT) X-Received: by 10.28.138.209 with SMTP id m200mr7065732wmd.89.1477857037765; Sun, 30 Oct 2016 12:50:37 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id ej5si25955813wjd.243.2016.10.30.12.50.37; Sun, 30 Oct 2016 12:50:37 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B0AE8689720; Sun, 30 Oct 2016 21:50:31 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CB1FB689224 for ; Sun, 30 Oct 2016 21:50:25 +0200 (EET) Received: by mail-wm0-f67.google.com with SMTP id c17so15618198wmc.3 for ; Sun, 30 Oct 2016 12:50:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=2vJp/+cWBUBShucANwj7VHCm4J8GuI0J0+xdtOSOB+g=; b=w3IG1TGgGIgscFmuUmj+Ll+BMB39Nk81TZdxLXZ5QL/IWjAF65A7eNl/QtACC7J5xx ml1OxQTJYTYZKhFow66pvGgIWdGbtQi1c893OkNYRqetylY4Rw+6OSj5PzckbplofHkx xc8fq9+IkYkodwrcMSreDl8/a/miUGmasUvHe4/LrqkJbMzWVA1kBtQD+KVMPC7XOnai n3WpSPh9xJLc0OoiLEOy6U53rzEZtnp4Qf12iYfCG8Ag8PozV9vN2yzTUNyt3ufFL8AP DwTBPh9WMH3ZqZyD38AOnn1Aq0lVCsvo2HyoKtLZHimgHZ0v+g1rEoWYftbJW0WrF24q gg0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=2vJp/+cWBUBShucANwj7VHCm4J8GuI0J0+xdtOSOB+g=; b=OyV3+aaCYji+KkNIGAejMI9eZw1r6O9odjmRgE0aJMAuxUBCgirG/hv90nkiUNnz3/ 7RUdHUJtIIcwBEVXMNEI67H3klYZEMQ10Xk+e+WvZuGu1igLdeasJQjlZGqcFHf8GFZl JsMfZYMEOxWMc+LmkQFypCRtLvmfj+g5qyfQMLXB18+DUPvG4+CfVXn2PflLtI/dY4Tv PWOIYQNPwUU3ExU5uyct5z49TLGiGSHASKytGUxswFOvBL9nI08ACf0pSqKhP6q/9Evd XFudYOVYU6hxJ1uUE8WDkVRACbdwz2XR5qvBhp/ZpNGKm2tSH1Ltu+XeUoJjuJncQnmv U+wg== X-Gm-Message-State: ABUngvdCFlffXnOf8Pf05YHYMU/pN/qkHt4WsIDnGqydNiinbBcTJ+hVymanIrfcBcJCMA== X-Received: by 10.28.74.216 with SMTP id n85mr8633529wmi.39.1477857028511; Sun, 30 Oct 2016 12:50:28 -0700 (PDT) Received: from [192.168.2.21] (pD9E8F048.dip0.t-ipconnect.de. [217.232.240.72]) by smtp.googlemail.com with ESMTPSA id io3sm26113064wjb.24.2016.10.30.12.50.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Oct 2016 12:50:28 -0700 (PDT) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: FFmpeg development discussions and patches Message-ID: Date: Sun, 30 Oct 2016 20:50:27 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] interplayacm: check for too large b X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This fixes out-of-bounds reads. Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayacm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 0fd3501..0486e00 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 3) + (x3 * 9) */ b = get_bits(gb, 5); + if (b > 26) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x3[b] & 0x0F) - 1; n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 5) + (x3 * 25) */ b = get_bits(gb, 7); + if (b > 124) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_3x5[b] & 0x0F) - 2; n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col) for (i = 0; i < s->rows; i++) { /* b = (x1) + (x2 * 11) */ b = get_bits(gb, 7); + if (b > 120) { + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b); + return AVERROR_INVALIDDATA; + } n1 = (mul_2x11[b] & 0x0F) - 5; n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;