[FFmpeg-cvslog] diracdec: Fix integer overflow leading to out of global array read.

Michael Niedermayer git at videolan.org
Fri Mar 16 16:31:00 CET 2012


ffmpeg | branch: release/0.10 | Michael Niedermayer <michaelni at gmx.at> | Sun Jan 29 03:38:58 2012 +0100| [9f253ebb41c5365edc406bf73bf1c483befc6ee4] | committer: Michael Niedermayer

diracdec: Fix integer overflow leading to out of global array read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 9729f140ae073f1df2041b6c5fd2068592eb9c48)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f253ebb41c5365edc406bf73bf1c483befc6ee4
---

 libavcodec/diracdec.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 03e7d0a..c96b37a 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1172,7 +1172,7 @@ static void propagate_block_data(DiracBlock *block, int stride, int size)
  * Dirac Specification ->
  * 12. Block motion data syntax
  */
-static void dirac_unpack_block_motion_data(DiracContext *s)
+static int dirac_unpack_block_motion_data(DiracContext *s)
 {
     GetBitContext *gb = &s->gb;
     uint8_t *sbsplit = s->sbsplit;
@@ -1192,7 +1192,9 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
     ff_dirac_init_arith_decoder(arith, gb, svq3_get_ue_golomb(gb));     /* svq3_get_ue_golomb(gb) is the length */
     for (y = 0; y < s->sbheight; y++) {
         for (x = 0; x < s->sbwidth; x++) {
-            int split  = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
+            unsigned int split  = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
+            if (split > 2)
+                return -1;
             sbsplit[x] = (split + pred_sbsplit(sbsplit+x, s->sbwidth, x, y)) % 3;
         }
         sbsplit += s->sbwidth;
@@ -1221,6 +1223,8 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
                     propagate_block_data(block, s->blwidth, step);
                 }
         }
+
+    return 0;
 }
 
 static int weight(int i, int blen, int offset)
@@ -1675,7 +1679,8 @@ static int dirac_decode_picture_header(DiracContext *s)
     if (s->num_refs) {
         if (dirac_unpack_prediction_parameters(s))  /* [DIRAC_STD] 11.2 Picture Prediction Data. picture_prediction() */
             return -1;
-        dirac_unpack_block_motion_data(s);          /* [DIRAC_STD] 12. Block motion data syntax                       */
+        if (dirac_unpack_block_motion_data(s))      /* [DIRAC_STD] 12. Block motion data syntax                       */
+            return -1;
     }
     if (dirac_unpack_idwt_params(s))                /* [DIRAC_STD] 11.3 Wavelet transform data                        */
         return -1;



More information about the ffmpeg-cvslog mailing list