[FFmpeg-devel] [PATCH v1 07/10] return value check for init_get_bits in vc1dec.c
Maryam Ebrahimzadeh
me22bee at outlook.com
Thu Aug 12 09:02:20 EEST 2021
I choose them because their second argument can be crafted.
On Aug 12, 2021, at 10:29 AM, Hendrik Leppkes <h.leppkes at gmail.com<mailto:h.leppkes at gmail.com>> wrote:
On Thu, Aug 12, 2021 at 6:53 AM maryam ebrahimzadeh <me22bee at outlook.com<mailto:me22bee at outlook.com>> wrote:
---
libavcodec/vc1dec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 1fb1950ade..07d60294f2 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -444,7 +444,9 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
// the last byte of the extradata is a version number, 1 for the
// samples we can decode
- init_get_bits(&gb, avctx->extradata, avctx->extradata_size*8);
+ ret = init_get_bits8(&gb, avctx->extradata, avctx->extradata_size);
+ if (ret < 0)
+ return ret;
if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0)
return ret;
@@ -771,7 +773,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
}
init_get_bits(&s->gb, buf2, buf_size2*8);
} else
- init_get_bits(&s->gb, buf, buf_size*8);
+ ret = init_get_bits8(&s->gb, buf, buf_size);
+ if (ret < 0)
+ return ret;
if (v->res_sprite) {
v->new_sprite = !get_bits1(&s->gb);
There is a whole bunch of other cases in vc1dec.c, I can even see one
in the patch context there. Any reason you picked only these two to
change?
- Hendrik
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel at ffmpeg.org<mailto:ffmpeg-devel at ffmpeg.org>
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request at ffmpeg.org<mailto:ffmpeg-devel-request at ffmpeg.org> with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list