[FFmpeg-cvslog] vcr1: add sanity checks

Anton Khirnov git at videolan.org
Tue Sep 3 13:51:53 CEST 2013


ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Sat Aug 24 21:30:46 2013 +0200| [8aba7968dd604aae91ee42cbce0be3dad7dceb30] | committer: Anton Khirnov

vcr1: add sanity checks

Fixes invalid reads with corrupted files.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8aba7968dd604aae91ee42cbce0be3dad7dceb30
---

 libavcodec/vcr1.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c
index c4b817e..dd8bcf0 100644
--- a/libavcodec/vcr1.c
+++ b/libavcodec/vcr1.c
@@ -37,6 +37,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx)
 {
     avctx->pix_fmt = AV_PIX_FMT_YUV410P;
 
+    if (avctx->width & 7) {
+        av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width);
+        return AVERROR_INVALIDDATA;
+    }
+
     return 0;
 }
 
@@ -57,9 +62,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
     p->pict_type = AV_PICTURE_TYPE_I;
     p->key_frame = 1;
 
+    if (buf_size < 32)
+        goto packet_small;
+
     for (i = 0; i < 16; i++) {
         a->delta[i] = *bytestream++;
         bytestream++;
+        buf_size--;
     }
 
     for (y = 0; y < avctx->height; y++) {
@@ -70,8 +79,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
             uint8_t *cb = &p->data[1][(y >> 2) * p->linesize[1]];
             uint8_t *cr = &p->data[2][(y >> 2) * p->linesize[2]];
 
+            if (buf_size < 4 + avctx->width)
+                goto packet_small;
+
             for (i = 0; i < 4; i++)
                 a->offset[i] = *bytestream++;
+            buf_size -= 4;
 
             offset = a->offset[0] - a->delta[bytestream[2] & 0xF];
             for (x = 0; x < avctx->width; x += 4) {
@@ -85,8 +98,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
                 *cr++       = bytestream[1];
 
                 bytestream += 4;
+                buf_size   -= 4;
             }
         } else {
+            if (buf_size < avctx->width / 2)
+                goto packet_small;
+
             offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF];
 
             for (x = 0; x < avctx->width; x += 8) {
@@ -100,6 +117,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
                 luma[7]     = offset += a->delta[bytestream[1] >>  4];
                 luma       += 8;
                 bytestream += 4;
+                buf_size   -= 4;
             }
         }
     }
@@ -107,6 +125,9 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame = 1;
 
     return buf_size;
+packet_small:
+    av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n");
+    return AVERROR_INVALIDDATA;
 }
 
 AVCodec ff_vcr1_decoder = {



More information about the ffmpeg-cvslog mailing list