[MPlayer-cvslog] r37589 - in trunk/libmpcodecs: mp_image.c vf.c

[rtogni]

Author: rtogni
Date: Fri Jan  8 00:33:33 2016
New Revision: 37589

Log:
Sanitize image parameters and prevent int32 overflow while calculating the
size of the picture  buffer.

Fixes a crash with a fuzzed file reported by Gustavo Grieco:
SIGSEGV.PC.7ffff462c614.STACK.182bac55d5.CODE.1.ADDR.\(nil\).INSTR.movdqu_%xmm8\,\(%rdi\).fuzz

Modified:
   trunk/libmpcodecs/mp_image.c
   trunk/libmpcodecs/vf.c

Modified: trunk/libmpcodecs/mp_image.c
==============================================================================
--- trunk/libmpcodecs/mp_image.c	Wed Jan  6 21:46:51 2016	(r37588)
+++ trunk/libmpcodecs/mp_image.c	Fri Jan  8 00:33:33 2016	(r37589)
@@ -33,6 +33,15 @@
 #include "mp_msg.h"
 
 void mp_image_alloc_planes(mp_image_t *mpi) {
+  /* This condition is stricter than needed, but I want to be sure that every
+   * calculation step can fit in int32_t. This assumption is true over most of
+   * the code, so this acts as a safeguard for other image size calulations. */
+  if ((unsigned int)mpi->height + 2 > INT_MAX ||
+      (int64_t)mpi->width*(mpi->height+2) > INT_MAX ||
+      (int64_t)mpi->bpp*mpi->width*(mpi->height+2) > INT_MAX) {
+      mp_msg(MSGT_DECVIDEO,MSGL_WARN,"mp_image: Unreasonable image parameters\n");
+      return;
+  }
   // IF09 - allocate space for 4. plane delta info - unused
   if (mpi->imgfmt == IMGFMT_IF09) {
     mpi->planes[0]=av_malloc(mpi->bpp*mpi->width*(mpi->height+2)/8+

Modified: trunk/libmpcodecs/vf.c
==============================================================================
--- trunk/libmpcodecs/vf.c	Wed Jan  6 21:46:51 2016	(r37588)
+++ trunk/libmpcodecs/vf.c	Fri Jan  8 00:33:33 2016	(r37589)
@@ -294,6 +294,11 @@ mp_image_t* vf_get_image(vf_instance_t*
   if (w == -1) w = vf->w;
   if (h == -1) h = vf->h;
 
+  if (w < 0 || h < 0 || w > INT_MAX - 32) {
+      mp_msg(MSGT_DECVIDEO, MSGL_ERR, "vf_get_image: unreasonable picture size\n");
+      return NULL;
+  }
+
   w2=(mp_imgflag&MP_IMGFLAG_ACCEPT_ALIGNED_STRIDE)?FFALIGN(w, 32):w;
 
   if(vf->put_image==vf_next_put_image){
@@ -411,6 +416,11 @@ mp_image_t* vf_get_image(vf_instance_t*
           }
 
           mp_image_alloc_planes(mpi);
+          if (!(mpi->flags & MP_IMGFLAG_ALLOCATED)) { // allocation failed
+              mp_msg(MSGT_DECVIDEO, MSGL_FATAL, "vf_get_image: allocation of image planes failed!\n");
+              return NULL;
+          }
+
 //        printf("clearing img!\n");
           vf_mpi_clear(mpi,0,0,mpi->width,mpi->height);
         }