[FFmpeg-cvslog] vp3dec: Check coefficient index in vp3_dequant()

Reinhard Tartler git at videolan.org
Sun Dec 25 01:36:04 CET 2011 

ffmpeg | branch: release/0.6 | Reinhard Tartler <siretart at tauware.de> | Sun Dec  4 10:10:33 2011 +0100| [bd071de29ae33a0ea99fd52793394a377ca61589] | committer: Reinhard Tartler

vp3dec: Check coefficient index in vp3_dequant()

Based on a patch by Michael Niedermayer <michaelni at gmx.at>

Fixes NGS00145, CVE-2011-4352

Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart at tauware.de>

(cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit bba709214a51ffd665a67404d3beb3727bb3f319)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd071de29ae33a0ea99fd52793394a377ca61589
---

 libavcodec/vp3.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index c08de6c..fe8af86 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1285,6 +1285,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
         case 1: // zero run
             s->dct_tokens[plane][i]++;
             i += (token >> 2) & 0x7f;
+            if (i > 63) {
+                av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n");
+                return i;
+            }
             block[perm[i]] = (token >> 9) * dequantizer[perm[i]];
             i++;
             break;
@@ -1458,7 +1462,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                     /* invert DCT and place (or add) in final output */
 
                     if (s->all_fragments[i].coding_method == MODE_INTRA) {
-                        vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+                        int index;
+                        index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+                        if (index > 63)
+                            continue;
                         if(s->avctx->idct_algo!=FF_IDCT_VP3)
                             block[0] += 128<<3;
                         s->dsp.idct_put(
@@ -1466,7 +1473,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                             stride,
                             block);
                     } else {
-                        if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
+                        int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
+                        if (index > 63)
+                            continue;
+                        if (index > 0) {
                         s->dsp.idct_add(
                             output_plane + first_pixel,
                             stride,

More information about the ffmpeg-cvslog mailing list