[FFmpeg-devel] [PATCH] avcodec/av1_parse: Check obu_size
James Almer
jamrial at gmail.com
Sun Oct 14 18:33:01 EEST 2018
On 10/14/2018 12:18 PM, Michael Niedermayer wrote:
> On Sun, Oct 14, 2018 at 11:03:29AM -0300, James Almer wrote:
>> On 10/14/2018 10:43 AM, Michael Niedermayer wrote:
>>> Fixes: out of array read
>>> Fixes: SIGSEGV_get_obu_bit_length_av1_parse
>>>
>>> Found-by: keval shah <skeval65 at gmail.com>
>>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> ---
>>> libavcodec/av1_parse.h | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/libavcodec/av1_parse.h b/libavcodec/av1_parse.h
>>> index 276af33ba9..312d8825e1 100644
>>> --- a/libavcodec/av1_parse.h
>>> +++ b/libavcodec/av1_parse.h
>>> @@ -130,6 +130,9 @@ static inline int parse_obu_header(const uint8_t *buf, int buf_size,
>>> if (get_bits_left(&gb) < 0)
>>> return AVERROR_INVALIDDATA;
>>>
>>> + if (*obu_size > (uint64_t)buf_size - get_bits_count(&gb) / 8)
>>> + return AVERROR_INVALIDDATA;
>>> +
>>> *start_pos = get_bits_count(&gb) / 8;
>>>
>>> size = *obu_size + *start_pos;
>>
>> Right below this line there's the check
>>
>> if (size > INT_MAX)
>> return AVERROR(ERANGE);
>>
>> So i think you could just change it to "size > (int64_t)buf_size" and
>> achieve the same effect without adding an extra check.
>
> ive written it a bit overly defensive, not assuming any range limitation
> of leb128().
> But you are correct, ill simplify and repost it
Make it return AVERROR_INVALIDDATA instead of ERANGE as well while at
it. Thanks.
>
> thx
>
>
> [...]
>
>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
More information about the ffmpeg-devel
mailing list