[FFmpeg-cvslog] diracdec: Check dirac_unpack_idwt_params parameters before storing them.
Michael Niedermayer
git at videolan.org
Thu Jan 26 17:15:53 CET 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Jan 26 15:41:43 2012 +0100| [e2291ea1534d17306f685b8c8abc8585bbed87bf] | committer: Michael Niedermayer
diracdec: Check dirac_unpack_idwt_params parameters before storing them.
Fixes CVE-2011-3949
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2291ea1534d17306f685b8c8abc8585bbed87bf
---
libavcodec/diracdec.c | 29 ++++++++++++++---------------
1 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 1bc7334..e6b33e2 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -933,6 +933,15 @@ static int dirac_unpack_idwt_params(DiracContext *s)
{
GetBitContext *gb = &s->gb;
int i, level;
+ unsigned tmp;
+
+#define CHECKEDREAD(dst, cond, errmsg) \
+ tmp = svq3_get_ue_golomb(gb); \
+ if (cond) { \
+ av_log(s->avctx, AV_LOG_ERROR, errmsg); \
+ return -1; \
+ }\
+ dst = tmp;
align_get_bits(gb);
@@ -941,29 +950,19 @@ static int dirac_unpack_idwt_params(DiracContext *s)
return 0;
/*[DIRAC_STD] 11.3.1 Transform parameters. transform_parameters() */
- s->wavelet_idx = svq3_get_ue_golomb(gb);
- if (s->wavelet_idx > 6)
- return -1;
+ CHECKEDREAD(s->wavelet_idx, tmp > 6, "wavelet_idx is too big\n")
- s->wavelet_depth = svq3_get_ue_golomb(gb);
- if (s->wavelet_depth > MAX_DWT_LEVELS) {
- av_log(s->avctx, AV_LOG_ERROR, "too many dwt decompositions\n");
- return -1;
- }
+ CHECKEDREAD(s->wavelet_depth, tmp > MAX_DWT_LEVELS || tmp < 1, "invalid number of DWT decompositions\n")
if (!s->low_delay) {
/* Codeblock paramaters (core syntax only) */
if (get_bits1(gb)) {
for (i = 0; i <= s->wavelet_depth; i++) {
- s->codeblock[i].width = svq3_get_ue_golomb(gb);
- s->codeblock[i].height = svq3_get_ue_golomb(gb);
+ CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n")
+ CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n")
}
- s->codeblock_mode = svq3_get_ue_golomb(gb);
- if (s->codeblock_mode > 1) {
- av_log(s->avctx, AV_LOG_ERROR, "unknown codeblock mode\n");
- return -1;
- }
+ CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n")
} else
for (i = 0; i <= s->wavelet_depth; i++)
s->codeblock[i].width = s->codeblock[i].height = 1;
More information about the ffmpeg-cvslog
mailing list