[FFmpeg-devel] [PATCH] exr: fix out of bounds read in get_code
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Fri Dec 18 15:33:06 CET 2015
On 13.12.2015 23:37, Andreas Cadhalpun wrote:
> This macro unconditionally used out[-1], which causes an out of bounds
> read, if out is the very beginning of the buffer.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/exr.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/libavcodec/exr.c b/libavcodec/exr.c
> index 86a9908..cf28374 100644
> --- a/libavcodec/exr.c
> +++ b/libavcodec/exr.c
> @@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
> lc += 8; \
> }
>
> -#define get_code(po, rlc, c, lc, gb, out, oe) \
> +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \
> { \
> if (po == rlc) { \
> if (lc < 8) \
> @@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
> \
> cs = c >> lc; \
> \
> - if (out + cs > oe) \
> + if (out + cs > oe || out == outb) \
> return AVERROR_INVALIDDATA; \
> \
> s = out[-1]; \
> @@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
>
> if (pl.len) {
> lc -= pl.len;
> - get_code(pl.lit, rlc, c, lc, gb, out, oe);
> + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
> } else {
> int j;
>
> @@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
> if ((hcode[pl.p[j]] >> 6) ==
> ((c >> (lc - l)) & ((1LL << l) - 1))) {
> lc -= l;
> - get_code(pl.p[j], rlc, c, lc, gb, out, oe);
> + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
> break;
> }
> }
> @@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
>
> if (pl.len) {
> lc -= pl.len;
> - get_code(pl.lit, rlc, c, lc, gb, out, oe);
> + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
> } else {
> return AVERROR_INVALIDDATA;
> }
>
This was applied to Libav, so I've pushed it also to FFmpeg.
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list