[Ffmpeg-cvslog] CVS: ffmpeg/libavcodec 4xm.c, 1.20, 1.21 alac.c, 1.11, 1.12 cook.c, 1.9, 1.10 shorten.c, 1.3, 1.4 smacker.c, 1.2, 1.3 snow.c, 1.94, 1.95 tta.c, 1.2, 1.3

Michael Niedermayer CVS michael
Sat May 13 12:45:29 CEST 2006 

Update of /cvsroot/ffmpeg/ffmpeg/libavcodec
In directory mail:/var2/tmp/cvs-serv6233

Modified Files:
	4xm.c alac.c cook.c shorten.c smacker.c snow.c tta.c 
Log Message:
sanity checks, some might have been exploitable ...


Index: 4xm.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/4xm.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- 4xm.c	5 Feb 2006 13:35:16 -0000	1.20
+++ 4xm.c	13 May 2006 10:45:25 -0000	1.21
@@ -606,7 +606,7 @@
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@
         cfrm= &f->cfrm[i];
 
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
 
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;

Index: alac.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/alac.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- alac.c	10 May 2006 11:59:09 -0000	1.11
+++ alac.c	13 May 2006 10:45:25 -0000	1.12
@@ -100,7 +100,7 @@
     alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);
 }
 
-static void alac_set_info(ALACContext *alac)
+static int alac_set_info(ALACContext *alac)
 {
     unsigned char *ptr = alac->avctx->extradata;
 
@@ -108,6 +108,10 @@
     ptr += 4; /* alac */
     ptr += 4; /* 0 ? */
 
+    if(BE_32(ptr) >= UINT_MAX/4){
+        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+        return -1;
+    }
     alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
     ptr += 4;
     alac->setinfo_7a = *ptr++;
@@ -126,6 +130,8 @@
     ptr += 4;
 
     allocate_buffers(alac);
+
+    return 0;
 }
 
 /* hideously inefficient. could use a bitmask search,

Index: cook.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/cook.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- cook.c	10 Feb 2006 11:59:38 -0000	1.9
+++ cook.c	13 May 2006 10:45:25 -0000	1.10
@@ -1253,6 +1253,10 @@
     if (init_cook_vlc_tables(q) != 0)
         return -1;
 
+
+    if(avctx->block_align >= UINT_MAX/2)
+        return -1;
+
     /* Pad the databuffer with FF_INPUT_BUFFER_PADDING_SIZE,
        this is for the bitstreamreader. */
     if ((q->decoded_bytes_buffer = av_mallocz((avctx->block_align+(4-avctx->block_align%4) + FF_INPUT_BUFFER_PADDING_SIZE)*sizeof(uint8_t)))  == NULL)

Index: shorten.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/shorten.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- shorten.c	25 Jan 2006 22:10:12 -0000	1.3
+++ shorten.c	13 May 2006 10:45:25 -0000	1.4
@@ -106,18 +106,27 @@
     return 0;
 }
 
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
 {
     int i, chan;
     for (chan=0; chan<s->channels; chan++) {
+        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+            return -1;
+        }
+        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+            return -1;
+        }
+
         s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
 
         s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
         for (i=0; i<s->nwrap; i++)
             s->decoded[chan][i] = 0;
         s->decoded[chan] += s->nwrap;
-
     }
+    return 0;
 }
 
 

Index: smacker.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/smacker.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- smacker.c	25 Mar 2006 15:37:08 -0000	1.2
+++ smacker.c	13 May 2006 10:45:25 -0000	1.3
@@ -177,6 +177,11 @@
     int escapes[3];
     DBCtx ctx;
 
+    if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
+        av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
+        return -1;
+    }
+
     tmp1.length = 256;
     tmp1.maxlength = 0;
     tmp1.current = 0;

Index: snow.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/snow.c,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -d -r1.94 -r1.95
--- snow.c	20 Mar 2006 05:52:23 -0000	1.94
+++ snow.c	13 May 2006 10:45:25 -0000	1.95
@@ -3712,7 +3712,7 @@
     s->mv_scale= get_symbol(&s->c, s->header_state, 0);
     s->qbias= get_symbol(&s->c, s->header_state, 1);
     s->block_max_depth= get_symbol(&s->c, s->header_state, 0);
-    if(s->block_max_depth > 1){
+    if(s->block_max_depth > 1 || s->block_max_depth < 0){
         av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large", s->block_max_depth);
         s->block_max_depth= 0;
         return -1;

Index: tta.c
===================================================================
RCS file: /cvsroot/ffmpeg/ffmpeg/libavcodec/tta.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- tta.c	27 Feb 2006 12:17:20 -0000	1.2
+++ tta.c	13 May 2006 10:45:26 -0000	1.3
@@ -238,6 +238,10 @@
         avctx->bits_per_sample = get_le16(&s->gb);
         s->bps = (avctx->bits_per_sample + 7) / 8;
         avctx->sample_rate = get_le32(&s->gb);
+        if(avctx->sample_rate > 1000000){ //prevent FRAME_TIME * avctx->sample_rate from overflowing and sanity check
+            av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
+            return -1;
+        }
         s->data_length = get_le32(&s->gb);
         skip_bits(&s->gb, 32); // CRC32 of header
 
@@ -276,6 +280,11 @@
             skip_bits(&s->gb, 32);
         skip_bits(&s->gb, 32); // CRC32 of seektable
 
+        if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){
+            av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");
+            return -1;
+        }
+
         s->decode_buffer = av_mallocz(sizeof(int32_t)*s->frame_length*s->channels);
     } else {
         av_log(avctx, AV_LOG_ERROR, "Wrong extradata present\n");

More information about the ffmpeg-cvslog mailing list