From patchwork Thu Jul 16 07:27:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 21101 Delivered-To: andriy.gelman@gmail.com Received: by 2002:a25:80ca:0:0:0:0:0 with SMTP id c10csp1023125ybm; Thu, 16 Jul 2020 00:34:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHCWU6Sib3hmlB11LIi4gPcIg3e4BHBwRgyHsP1uz6mfER8+Pmg/d+QvJPRozlv3411M0U X-Received: by 2002:a7b:c841:: with SMTP id c1mr3244982wml.25.1594884858332; Thu, 16 Jul 2020 00:34:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594884858; cv=none; d=google.com; s=arc-20160816; b=GJvsu3WUBb362vnBttpRPiysgpRKgK6hpxivioYZ+JWeebdO7iwhqB8/uupcN8wIbE WRg23B/WTs4gHd62we4oBzEHEvKsgzsMmDSZ1Xh+qAmMlR5OcPZ/lZLO8W/kzQvyvnPK +zhPcmCxlvV8AVY1EHVpBib82Q1s//6JJQixnBCZIF4OX6LC/4BKD2NKnhsxU75FWD4q yjWCCOIV9OhBaqDkYbaCzSdroXLA8JOFegS1zWgXu5V6mo9ZbVriib/aWWTUdwAb4aBz lv3cZgWMMVFVBYtFYEgXqxNy3CExt9gp7CQe5Mtmhyf8m3vWsRefLKP17axP9h6woopJ ZfSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=zJu9Qd6UueBKaA/0Jvtf7Z0aXwGOgQA6CqDPxcc+FNM=; b=G8FEMwnYKB/gWydWhx8krW+jOf9TJvA193TGiRqY8CJt2etV12P6kI3AGEb/nOAtyo EgVUlof87IV/vpggwxelcx5vrvUEfzv0giNYia3BBgbNCDlyjD5N9dOM1kevPyWeH/V1 Xm+67DkRuVih3Cr6mHbO4+whj7K7UU9B0w6NE05UvVH/v9LNIjZkzArbKsXnQlBULzaJ SAyWkbXz3faWuOLyjZDqE43sWS1qKyXKaeLRHPZtTy+2KbgIzi5qoAvlmRvtZuexTEVZ ze7xJRnWhEM2hYbVFOAE5znmQ/yZRR5NkVz4e33BAS4eaucan9oVr0zNuabxX4YRe/iL +cKw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id s5si3841906wrv.254.2020.07.16.00.34.18; Thu, 16 Jul 2020 00:34:18 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 70DFB68B3F2; Thu, 16 Jul 2020 10:34:16 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-3.mx.upcmail.net (vie01a-dmta-pe05-3.mx.upcmail.net [84.116.36.13]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 204DF688113 for ; Thu, 16 Jul 2020 10:34:10 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jvyJi-0005Ye-0E for ffmpeg-devel@ffmpeg.org; Thu, 16 Jul 2020 09:28:30 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id vyIij9ity6Jy6vyIjjmhnF; Thu, 16 Jul 2020 09:27:29 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=vaJtXVxTAAAA:8 a=UYT47xLMkOVr7iUogQkA:9 a=rYGKqHRvCsK7xFM4:21 a=2W6rnip4ynOm-huU:21 a=pHzHmUro8NiASowvMSCR:22 a=6VlIyEUom7LUIeUMNQJH:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 16 Jul 2020 09:27:27 +0200 Message-Id: <20200716072728.25072-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfCltmy8mDQ9B62iR1SacErHtV2091lQtsJECVlPAfSUitlfwVdZv3SqN50S22yzcRlfO1QI2WSZxop2rW9iN2m9Rxif7mrv32f5AeWf4qeDx/uQ+i/6O +/b7lj+2fEv5XZ2zYDA/wQbSbb4GTCf+duvgU1IxcIxtPukVLBbbfJ3f Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/tdsc: Fix tile checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 0W59izok1NdX Content-Length: 3113 Fixes: out of array access Fixes: crash.asf Found-by: anton listov Reviewed-by: anton listov Signed-off-by: Michael Niedermayer --- libavcodec/tdsc.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index eaea41c1f5..3617911071 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) for (i = 0; i < number_tiles; i++) { int tile_size; int tile_mode; - int x, y, w, h; + int x, y, x2, y2, w, h; int ret; if (bytestream2_get_bytes_left(&ctx->gbc) < 4 || @@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) bytestream2_skip(&ctx->gbc, 4); // unknown x = bytestream2_get_le32(&ctx->gbc); y = bytestream2_get_le32(&ctx->gbc); - w = bytestream2_get_le32(&ctx->gbc) - x; - h = bytestream2_get_le32(&ctx->gbc) - y; + x2 = bytestream2_get_le32(&ctx->gbc); + y2 = bytestream2_get_le32(&ctx->gbc); - if (x >= ctx->width || y >= ctx->height) { + if (x < 0 || y < 0 || x2 <= x || y2 <= y || + x2 > ctx->width || y2 > ctx->height + ) { av_log(avctx, AV_LOG_ERROR, - "Invalid tile position (%d.%d outside %dx%d).\n", - x, y, ctx->width, ctx->height); - return AVERROR_INVALIDDATA; - } - if (x + w > ctx->width || y + h > ctx->height) { - av_log(avctx, AV_LOG_ERROR, - "Invalid tile size %dx%d\n", w, h); + "Invalid tile position (%d.%d %d.%d outside %dx%d).\n", + x, y, x2, y2, ctx->width, ctx->height); return AVERROR_INVALIDDATA; } + w = x2 - x; + h = y2 - y; ret = av_reallocp(&ctx->tilebuffer, tile_size); if (!ctx->tilebuffer) From patchwork Thu Jul 16 07:27:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 21105 Delivered-To: andriy.gelman@gmail.com Received: by 2002:a25:80ca:0:0:0:0:0 with SMTP id c10csp1020447ybm; Thu, 16 Jul 2020 00:28:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1PmKx41o7h7O8C3VIw12xEEvSTtfZ4FAd2x2UFbhBy7u/QvQJ+WeyPhAbZKrMKe0H1Xc5 X-Received: by 2002:a1c:81c8:: with SMTP id c191mr3019924wmd.23.1594884524308; Thu, 16 Jul 2020 00:28:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594884524; cv=none; d=google.com; s=arc-20160816; b=zTj/sLqmdtNzLS0CgfiVnVvHFcNRIR1UnC2ap10IoRzLIITAOFUll/dCn9KuCAtHUj F5n0+zX8A6e7XD32crxTnKjqRJZ3UzZt9k1s6d94H2bA9K7jPy+yFTrUnZgp5veyejEM jSUM9YCv8Y115wznCNjr8Nsd3umAUEpPZmZX3DgjRDfkO26+xV6aXhaEJ/UyxXzb5sE2 78/2nRN6Z6VZVkYxOnfAMEq6DT3TaKpMTk/GJoffIxIbcVxktmy77MQoid1CWFxPladA QwGhZ53uQJTMqa3y2JX0/sqb0nU+KkW5rBUgRE3O/2KxBlnUw7SpbFb2YpDvYs/Yz8FW UNfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=2gzVwTAI7fqqxA+c4XEATajdEmTL7n7FsXlBovgWvkc=; b=pLg+EQdhvQvwrJqKjXSYy2O55ShWR7upAtgiBvg2v5Nur89PGjtLbqC8K92cPH+NTh /FD5b2CaPGnAyBkB/UZDRkWQm6+OVGfNgj+hJi1AKM4NZHYpYHstmu+S0fFx1+/O0wKf PMmSfLscG7wWG1lmtkFLfJ4QOrgoXEJgJNFAexpVMMZDza40GBcZXRNfToQEbpllq9a/ 3HEI67nYZP1PdmxG4I4+e1CCYDcZU2qANvlBlgjXsnRFPkIJCq0eeXKIan2inUQ0ZG3u gJ4RHmR+JkbJUeaeVgWiy6pHD2nneIrzP/FxslzhOxQxDSMgJTyUY5YRwhDmmb24fkpT C+KA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id r17si3876107wro.380.2020.07.16.00.28.43; Thu, 16 Jul 2020 00:28:44 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 714AE68B3FF; Thu, 16 Jul 2020 10:28:39 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7492C689FFE for ; Thu, 16 Jul 2020 10:28:32 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jvyJi-0002Cd-0E for ffmpeg-devel@ffmpeg.org; Thu, 16 Jul 2020 09:28:30 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id vyIkj9ixV6Jy6vyIkjmhnx; Thu, 16 Jul 2020 09:27:30 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=lus1jfvOO4RfpIzI8iYA:9 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 16 Jul 2020 09:27:28 +0200 Message-Id: <20200716072728.25072-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200716072728.25072-1-michael@niedermayer.cc> References: <20200716072728.25072-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfCltmy8mDQ9B62iR1SacErHtV2091lQtsJECVlPAfSUitlfwVdZv3SqN50S22yzcRlfO1QI2WSZxop2rW9iN2m9Rxif7mrv32f5AeWf4qeDx/uQ+i/6O +/b7lj+2fEv5XZ2zYDA/wQbSbb4GTCf+duvgU1IxcIxtPukVLBbbfJ3f Subject: [FFmpeg-devel] [PATCH 2/2] swscale/tests/swscale: use codes < 128 for indicating erros X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: v17hjLerqTbm Content-Length: 1054 Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index 845ced61bb..9c0b5a4b11 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -248,7 +248,7 @@ end: if (dstStride[i]) av_free(dst[i]); - return res; + return res & 127; } static void selfTest(const uint8_t * const ref[4], int refStride[4],