[FFmpeg-cvslog] avcodec/utvideodec: Add several out of array read related checks

Michael Niedermayer git at videolan.org
Sun Feb 11 13:42:45 EET 2018


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Feb  9 15:27:41 2018 +0100| [76cc0f0f673353cd4746cd3b83838ae335e5d9ed] | committer: Michael Niedermayer

avcodec/utvideodec: Add several out of array read related checks

Fixes: OV_decode_plane.avi

Found-by: GwanYeong Kim <gy741.kim at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76cc0f0f673353cd4746cd3b83838ae335e5d9ed
---

 libavcodec/utvideodec.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 1bcd14e74c..c5f5534964 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -268,6 +268,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
             send   = (height * (slice + 1) / c->slices) & cmask;
             dest   = dst + sstart * stride;
 
+            if (3 * ((dst + send * stride - dest + 7)/8) > get_bits_left(&cbit))
+                return AVERROR_INVALIDDATA;
+
             for (p = dest; p < dst + send * stride; p += 8) {
                 int bits = get_bits_le(&cbit, 3);
 
@@ -277,6 +280,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
                     uint32_t sub = 0x80 >> (8 - (bits + 1)), add;
                     int k;
 
+                    if ((bits + 1) * 8 > get_bits_left(&pbit))
+                        return AVERROR_INVALIDDATA;
+
                     for (k = 0; k < 8; k++) {
 
                         p[k] = get_bits_le(&pbit, bits + 1);
@@ -639,9 +645,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             for (j = 0; j < c->slices; j++) {
                 c->packed_stream[i][j] = packed_stream;
                 c->packed_stream_size[i][j] = bytestream2_get_le32(&pb);
-                left -= c->packed_stream_size[i][j];
-                if (left < 0)
+                if (c->packed_stream_size[i][j] > left)
                     return AVERROR_INVALIDDATA;
+                left -= c->packed_stream_size[i][j];
                 packed_stream += c->packed_stream_size[i][j];
             }
         }
@@ -652,9 +658,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             for (j = 0; j < c->slices; j++) {
                 c->control_stream[i][j] = control_stream;
                 c->control_stream_size[i][j] = bytestream2_get_le32(&pb);
-                left -= c->control_stream_size[i][j];
-                if (left < 0)
+                if (c->control_stream_size[i][j] > left)
                     return AVERROR_INVALIDDATA;
+                left -= c->control_stream_size[i][j];
                 control_stream += c->control_stream_size[i][j];
             }
         }



More information about the ffmpeg-cvslog mailing list