[FFmpeg-devel] [PATCH 2/3] avcodec/cfhd: Require valid setup before Lowpass coefficients, BandHeader and BandSecondPass

Michael Niedermayer michael at niedermayer.cc
Sat Apr 3 17:39:07 EEST 2021


Previously the code skipped all security checks when these where encountered but prior data was incorrect.
Also replace an always true condition by an assert

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/cfhd.c | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index d719fbd65d..8bf910cde6 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -701,11 +701,18 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         coeff_data = s->plane[s->channel_num].subband[s->subband_num_actual];
 
         /* Lowpass coefficients */
-        if (tag == BitstreamMarker && data == 0xf0f && s->a_width && s->a_height) {
-            int lowpass_height = s->plane[s->channel_num].band[0][0].height;
-            int lowpass_width  = s->plane[s->channel_num].band[0][0].width;
-            int lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height;
-            int lowpass_a_width  = s->plane[s->channel_num].band[0][0].a_width;
+        if (tag == BitstreamMarker && data == 0xf0f) {
+            int lowpass_height, lowpass_width, lowpass_a_height, lowpass_a_width;
+
+            if (!s->a_width || !s->a_height) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
+
+            lowpass_height = s->plane[s->channel_num].band[0][0].height;
+            lowpass_width  = s->plane[s->channel_num].band[0][0].width;
+            lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height;
+            lowpass_a_width  = s->plane[s->channel_num].band[0][0].a_width;
 
             if (lowpass_width < 3 ||
                 lowpass_width > lowpass_a_width) {
@@ -755,17 +762,25 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             av_log(avctx, AV_LOG_DEBUG, "Lowpass coefficients %d\n", lowpass_width * lowpass_height);
         }
 
-        if ((tag == BandHeader || tag == BandSecondPass) && s->subband_num_actual != 255 && s->a_width && s->a_height) {
-            int highpass_height = s->plane[s->channel_num].band[s->level][s->subband_num].height;
-            int highpass_width  = s->plane[s->channel_num].band[s->level][s->subband_num].width;
-            int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
-            int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
-            int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
+        av_assert0(s->subband_num_actual != 255);
+        if (tag == BandHeader || tag == BandSecondPass) {
+            int highpass_height, highpass_width, highpass_a_width, highpass_a_height, highpass_stride, a_expected;
             int expected;
-            int a_expected = highpass_a_height * highpass_a_width;
             int level, run, coeff;
             int count = 0, bytes;
 
+            if (!s->a_width || !s->a_height) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
+
+            highpass_height = s->plane[s->channel_num].band[s->level][s->subband_num].height;
+            highpass_width  = s->plane[s->channel_num].band[s->level][s->subband_num].width;
+            highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
+            highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
+            highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
+            a_expected = highpass_a_height * highpass_a_width;
+
             if (!got_buffer) {
                 av_log(avctx, AV_LOG_ERROR, "No end of header tag found\n");
                 ret = AVERROR(EINVAL);
-- 
2.17.1



More information about the ffmpeg-devel mailing list