[FFmpeg-cvslog] avcodec/utvideodec: Add several out of array read related checks
Michael Niedermayer
git at videolan.org
Sun Feb 11 13:42:45 EET 2018
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Feb 9 15:27:41 2018 +0100| [76cc0f0f673353cd4746cd3b83838ae335e5d9ed] | committer: Michael Niedermayer
avcodec/utvideodec: Add several out of array read related checks
Fixes: OV_decode_plane.avi
Found-by: GwanYeong Kim <gy741.kim at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76cc0f0f673353cd4746cd3b83838ae335e5d9ed
---
libavcodec/utvideodec.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 1bcd14e74c..c5f5534964 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -268,6 +268,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
send = (height * (slice + 1) / c->slices) & cmask;
dest = dst + sstart * stride;
+ if (3 * ((dst + send * stride - dest + 7)/8) > get_bits_left(&cbit))
+ return AVERROR_INVALIDDATA;
+
for (p = dest; p < dst + send * stride; p += 8) {
int bits = get_bits_le(&cbit, 3);
@@ -277,6 +280,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
uint32_t sub = 0x80 >> (8 - (bits + 1)), add;
int k;
+ if ((bits + 1) * 8 > get_bits_left(&pbit))
+ return AVERROR_INVALIDDATA;
+
for (k = 0; k < 8; k++) {
p[k] = get_bits_le(&pbit, bits + 1);
@@ -639,9 +645,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
for (j = 0; j < c->slices; j++) {
c->packed_stream[i][j] = packed_stream;
c->packed_stream_size[i][j] = bytestream2_get_le32(&pb);
- left -= c->packed_stream_size[i][j];
- if (left < 0)
+ if (c->packed_stream_size[i][j] > left)
return AVERROR_INVALIDDATA;
+ left -= c->packed_stream_size[i][j];
packed_stream += c->packed_stream_size[i][j];
}
}
@@ -652,9 +658,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
for (j = 0; j < c->slices; j++) {
c->control_stream[i][j] = control_stream;
c->control_stream_size[i][j] = bytestream2_get_le32(&pb);
- left -= c->control_stream_size[i][j];
- if (left < 0)
+ if (c->control_stream_size[i][j] > left)
return AVERROR_INVALIDDATA;
+ left -= c->control_stream_size[i][j];
control_stream += c->control_stream_size[i][j];
}
}
More information about the ffmpeg-cvslog
mailing list