[FFmpeg-cvslog] avcodec/cfhd: Check band parameters before storing them

Michael Niedermayer git at videolan.org
Sun Jun 18 17:34:39 EEST 2017


ffmpeg | branch: release/3.1 | Michael Niedermayer <michael at niedermayer.cc> | Sat Jun 10 18:45:08 2017 +0200| [f263c4687f60c489d7086bbd4a58d1bb279fde80] | committer: Michael Niedermayer

avcodec/cfhd: Check band parameters before storing them

Fixes out of array read
Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f263c4687f60c489d7086bbd4a58d1bb279fde80
---

 libavcodec/cfhd.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index dfc9ace792..9473473f2d 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -317,22 +317,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->prescale_shift[2] = (data >> 6) & 0x7;
             av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data);
         } else if (tag == 27) {
-            s->plane[s->channel_num].band[0][0].width  = data;
-            s->plane[s->channel_num].band[0][0].stride = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data);
             if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[0][0].width  = data;
+            s->plane[s->channel_num].band[0][0].stride = data;
         } else if (tag == 28) {
-            s->plane[s->channel_num].band[0][0].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
             if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[0][0].height = data;
         } else if (tag == 1)
             av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data);
         else if (tag == 10) {
@@ -363,39 +363,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                 av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2);
             }
         } else if (tag == 41) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
-            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
+            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
         } else if (tag == 42) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
         } else if (tag == 49) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
-            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
+            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
         } else if (tag == 50) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
         } else if (tag == 71) {
             s->codebook = data;
             av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook);



More information about the ffmpeg-cvslog mailing list