[FFmpeg-devel] [PATCH] rpza: fix the bounds check

Carl Eugen Hoyos ceffmpeg at gmail.com
Thu Jun 21 11:23:19 EEST 2018


2018-06-21 5:46 GMT+02:00, Xiao Yang <YangX92 at hotmail.com>:
> Fixes invalid writes when there are more blocks in a run
> than total remaining blocks

Please provide a test-case that allows to reproduce the
issue your patch fixes.

> (see CVE-2014-8548)
> ---
>  libavcodec/rpza.c |    5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
> index b71ebd1..7cb6b89 100644
> --- a/libavcodec/rpza.c
> +++ b/libavcodec/rpza.c
> @@ -68,6 +68,11 @@ typedef struct RpzaContext {
>              row_ptr  += stride * 4; \
>          }                           \
>          total_blocks--;             \
> +        if (total_blocks < !!n_blocks) \
> +        { \
> +            av_log(s->avctx, AV_LOG_INFO, "warning: block
> counter just went negative (this should not happen)\n"); \

> +            return; \

This produces several warnings at compile time, please fix them.

Carl Eugen


More information about the ffmpeg-devel mailing list