[FFmpeg-cvslog] truemotion: forbid invalid VLC bitsizes and token values.

Ronald S. Bultje git at videolan.org
Thu May 3 00:26:22 CEST 2012 

ffmpeg | branch: release/0.10 | Ronald S. Bultje <rsbultje at gmail.com> | Thu Mar 29 10:25:04 2012 -0700| [be424d86a85af1d86d2a4d1bc3fede3d6078f796] | committer: Reinhard Tartler

truemotion: forbid invalid VLC bitsizes and token values.

SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.

This prevents crashes on corrupt bitstreams.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=be424d86a85af1d86d2a4d1bc3fede3d6078f796
---

 libavcodec/truemotion2.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 5ec24de..81dc84a 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -130,7 +130,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
 
     /* check for correct codes parameters */
     if((huff.val_bits < 1) || (huff.val_bits > 32) ||
-       (huff.max_bits < 0) || (huff.max_bits > 32)) {
+       (huff.max_bits < 0) || (huff.max_bits > 25)) {
         av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect tree parameters - literal length: %i, max code length: %i\n",
                huff.val_bits, huff.max_bits);
         return -1;
@@ -322,10 +322,21 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
                 return -1;
             }
             ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes);
+            if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) {
+                av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n",
+                       ctx->tokens[stream_id][i], stream_id, i);
+                return AVERROR_INVALIDDATA;
+            }
         }
     } else {
-        for(i = 0; i < toks; i++)
+        for(i = 0; i < toks; i++) {
             ctx->tokens[stream_id][i] = codes.recode[0];
+            if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) {
+                av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n",
+                       ctx->tokens[stream_id][i], stream_id, i);
+                return AVERROR_INVALIDDATA;
+            }
+        }
     }
     tm2_free_codes(&codes);
 
@@ -837,9 +848,9 @@ static int decode_frame(AVCodecContext *avctx,
             return AVERROR_INVALIDDATA;
         }
         t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip);
-        if(t == -1){
+        if(t < 0){
             av_free(swbuf);
-            return -1;
+            return t;
         }
         skip += t;
     }

More information about the ffmpeg-cvslog mailing list