[FFmpeg-devel] [PATCH] avcodec/av1_parse: Check obu_size
Michael Niedermayer
michael at niedermayer.cc
Sun Oct 14 18:18:35 EEST 2018
On Sun, Oct 14, 2018 at 11:03:29AM -0300, James Almer wrote:
> On 10/14/2018 10:43 AM, Michael Niedermayer wrote:
> > Fixes: out of array read
> > Fixes: SIGSEGV_get_obu_bit_length_av1_parse
> >
> > Found-by: keval shah <skeval65 at gmail.com>
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/av1_parse.h | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/av1_parse.h b/libavcodec/av1_parse.h
> > index 276af33ba9..312d8825e1 100644
> > --- a/libavcodec/av1_parse.h
> > +++ b/libavcodec/av1_parse.h
> > @@ -130,6 +130,9 @@ static inline int parse_obu_header(const uint8_t *buf, int buf_size,
> > if (get_bits_left(&gb) < 0)
> > return AVERROR_INVALIDDATA;
> >
> > + if (*obu_size > (uint64_t)buf_size - get_bits_count(&gb) / 8)
> > + return AVERROR_INVALIDDATA;
> > +
> > *start_pos = get_bits_count(&gb) / 8;
> >
> > size = *obu_size + *start_pos;
>
> Right below this line there's the check
>
> if (size > INT_MAX)
> return AVERROR(ERANGE);
>
> So i think you could just change it to "size > (int64_t)buf_size" and
> achieve the same effect without adding an extra check.
ive written it a bit overly defensive, not assuming any range limitation
of leb128().
But you are correct, ill simplify and repost it
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
"Nothing to hide" only works if the folks in power share the values of
you and everyone you know entirely and always will -- Tom Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20181014/5f145a2d/attachment.sig>
More information about the ffmpeg-devel
mailing list