[FFmpeg-cvslog] lavc/dvbsub: fix potential encode buffer overflow
John Stebbins
git at videolan.org
Sat Apr 11 02:53:45 EEST 2020
ffmpeg | branch: master | John Stebbins <jstebbins at jetheaddev.com> | Fri Apr 10 12:07:59 2020 -0600| [eda8d48fea712b9f19f81be384643a6cade647a1] | committer: Philip Langdale
lavc/dvbsub: fix potential encode buffer overflow
encode buffer size was ignored
Signed-off-by: Philip Langdale <philipl at overt.org>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eda8d48fea712b9f19f81be384643a6cade647a1
---
libavcodec/dvbsub.c | 97 +++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 75 insertions(+), 22 deletions(-)
diff --git a/libavcodec/dvbsub.c b/libavcodec/dvbsub.c
index a8d43d81d6..a0be0b1056 100644
--- a/libavcodec/dvbsub.c
+++ b/libavcodec/dvbsub.c
@@ -37,11 +37,11 @@ typedef struct DVBSubtitleContext {
}\
}
-static void dvb_encode_rle2(uint8_t **pq,
- const uint8_t *bitmap, int linesize,
- int w, int h)
+static int dvb_encode_rle2(uint8_t **pq, int buf_size,
+ const uint8_t *bitmap, int linesize,
+ int w, int h)
{
- uint8_t *q;
+ uint8_t *q, *line_begin;
unsigned int bitbuf;
int bitcnt;
int x, y, len, x1, v, color;
@@ -49,6 +49,10 @@ static void dvb_encode_rle2(uint8_t **pq,
q = *pq;
for(y = 0; y < h; y++) {
+ // Worst case line is 3 bits per value + 4 bytes overhead
+ if (buf_size * 8 < w * 3 + 32)
+ return AVERROR_BUFFER_TOO_SMALL;
+ line_begin = q;
*q++ = 0x10;
bitbuf = 0;
bitcnt = 6;
@@ -109,8 +113,11 @@ static void dvb_encode_rle2(uint8_t **pq,
}
*q++ = 0xf0;
bitmap += linesize;
+ buf_size -= q - line_begin;
}
+ len = q - *pq;
*pq = q;
+ return len;
}
#define PUTBITS4(val)\
@@ -125,11 +132,11 @@ static void dvb_encode_rle2(uint8_t **pq,
}
/* some DVB decoders only implement 4 bits/pixel */
-static void dvb_encode_rle4(uint8_t **pq,
- const uint8_t *bitmap, int linesize,
- int w, int h)
+static int dvb_encode_rle4(uint8_t **pq, int buf_size,
+ const uint8_t *bitmap, int linesize,
+ int w, int h)
{
- uint8_t *q;
+ uint8_t *q, *line_begin;
unsigned int bitbuf;
int bitcnt;
int x, y, len, x1, v, color;
@@ -137,6 +144,10 @@ static void dvb_encode_rle4(uint8_t **pq,
q = *pq;
for(y = 0; y < h; y++) {
+ // Worst case line is 6 bits per value, + 4 bytes overhead
+ if (buf_size * 8 < w * 6 + 32)
+ return AVERROR_BUFFER_TOO_SMALL;
+ line_begin = q;
*q++ = 0x11;
bitbuf = 0;
bitcnt = 4;
@@ -189,20 +200,27 @@ static void dvb_encode_rle4(uint8_t **pq,
}
*q++ = 0xf0;
bitmap += linesize;
+ buf_size -= q - line_begin;
}
+ len = q - *pq;
*pq = q;
+ return len;
}
-static void dvb_encode_rle8(uint8_t **pq,
- const uint8_t *bitmap, int linesize,
- int w, int h)
+static int dvb_encode_rle8(uint8_t **pq, int buf_size,
+ const uint8_t *bitmap, int linesize,
+ int w, int h)
{
- uint8_t *q;
+ uint8_t *q, *line_begin;
int x, y, len, x1, color;
q = *pq;
for (y = 0; y < h; y++) {
+ // Worst case line is 12 bits per value, + 3 bytes overhead
+ if (buf_size * 8 < w * 12 + 24)
+ return AVERROR_BUFFER_TOO_SMALL;
+ line_begin = q;
*q++ = 0x12;
x = 0;
@@ -243,12 +261,16 @@ static void dvb_encode_rle8(uint8_t **pq,
*q++ = 0x00;
*q++ = 0xf0;
bitmap += linesize;
+ buf_size -= q - line_begin;
}
+ len = q - *pq;
*pq = q;
+ return len;
}
static int encode_dvb_subtitles(AVCodecContext *avctx,
- uint8_t *outbuf, const AVSubtitle *h)
+ uint8_t *outbuf, int buf_size,
+ const AVSubtitle *h)
{
DVBSubtitleContext *s = avctx->priv_data;
uint8_t *q, *pseg_len;
@@ -263,6 +285,8 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
return -1;
if (avctx->width > 0 && avctx->height > 0) {
+ if (buf_size < 11)
+ return AVERROR_BUFFER_TOO_SMALL;
/* display definition segment */
*q++ = 0x0f; /* sync_byte */
*q++ = 0x14; /* segment_type */
@@ -273,10 +297,13 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
bytestream_put_be16(&q, avctx->width - 1); /* display width */
bytestream_put_be16(&q, avctx->height - 1); /* display height */
bytestream_put_be16(&pseg_len, q - pseg_len - 2);
+ buf_size -= 11;
}
/* page composition segment */
+ if (buf_size < 8 + h->num_rects * 6)
+ return AVERROR_BUFFER_TOO_SMALL;
*q++ = 0x0f; /* sync_byte */
*q++ = 0x10; /* segment_type */
bytestream_put_be16(&q, page_id);
@@ -295,9 +322,12 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
}
bytestream_put_be16(&pseg_len, q - pseg_len - 2);
+ buf_size -= 8 + h->num_rects * 6;
if (h->num_rects) {
for (clut_id = 0; clut_id < h->num_rects; clut_id++) {
+ if (buf_size < 6 + h->rects[clut_id]->nb_colors * 6)
+ return AVERROR_BUFFER_TOO_SMALL;
/* CLUT segment */
@@ -343,9 +373,12 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
}
bytestream_put_be16(&pseg_len, q - pseg_len - 2);
+ buf_size -= 6 + h->rects[clut_id]->nb_colors * 6;
}
}
+ if (buf_size < h->num_rects * 22)
+ return AVERROR_BUFFER_TOO_SMALL;
for (region_id = 0; region_id < h->num_rects; region_id++) {
/* region composition segment */
@@ -385,13 +418,17 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
bytestream_put_be16(&pseg_len, q - pseg_len - 2);
}
+ buf_size -= h->num_rects * 22;
if (h->num_rects) {
for (object_id = 0; object_id < h->num_rects; object_id++) {
- void (*dvb_encode_rle)(uint8_t **pq,
- const uint8_t *bitmap, int linesize,
- int w, int h);
+ int (*dvb_encode_rle)(uint8_t **pq, int buf_size,
+ const uint8_t *bitmap, int linesize,
+ int w, int h);
+
+ if (buf_size < 13)
+ return AVERROR_BUFFER_TOO_SMALL;
/* bpp_index maths */
if (h->rects[object_id]->nb_colors <= 4) {
@@ -420,19 +457,32 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
non_modifying_color_flag */
{
uint8_t *ptop_field_len, *pbottom_field_len, *top_ptr, *bottom_ptr;
+ int ret;
ptop_field_len = q;
q += 2;
pbottom_field_len = q;
q += 2;
+ buf_size -= 13;
top_ptr = q;
- dvb_encode_rle(&q, h->rects[object_id]->data[0], h->rects[object_id]->w * 2,
- h->rects[object_id]->w, h->rects[object_id]->h >> 1);
+ ret = dvb_encode_rle(&q, buf_size,
+ h->rects[object_id]->data[0],
+ h->rects[object_id]->w * 2,
+ h->rects[object_id]->w,
+ h->rects[object_id]->h >> 1);
+ if (ret < 0)
+ return ret;
+ buf_size -= ret;
bottom_ptr = q;
- dvb_encode_rle(&q, h->rects[object_id]->data[0] + h->rects[object_id]->w,
- h->rects[object_id]->w * 2, h->rects[object_id]->w,
- h->rects[object_id]->h >> 1);
+ ret = dvb_encode_rle(&q, buf_size,
+ h->rects[object_id]->data[0] + h->rects[object_id]->w,
+ h->rects[object_id]->w * 2,
+ h->rects[object_id]->w,
+ h->rects[object_id]->h >> 1);
+ if (ret < 0)
+ return ret;
+ buf_size -= ret;
bytestream_put_be16(&ptop_field_len, bottom_ptr - top_ptr);
bytestream_put_be16(&pbottom_field_len, q - bottom_ptr);
@@ -444,6 +494,8 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
/* end of display set segment */
+ if (buf_size < 6)
+ return AVERROR_BUFFER_TOO_SMALL;
*q++ = 0x0f; /* sync_byte */
*q++ = 0x80; /* segment_type */
bytestream_put_be16(&q, page_id);
@@ -451,6 +503,7 @@ static int encode_dvb_subtitles(AVCodecContext *avctx,
q += 2; /* segment length */
bytestream_put_be16(&pseg_len, q - pseg_len - 2);
+ buf_size -= 6;
s->object_version = (s->object_version + 1) & 0xf;
return q - outbuf;
@@ -462,7 +515,7 @@ static int dvbsub_encode(AVCodecContext *avctx,
{
int ret;
- ret = encode_dvb_subtitles(avctx, buf, sub);
+ ret = encode_dvb_subtitles(avctx, buf, buf_size, sub);
return ret;
}
More information about the ffmpeg-cvslog
mailing list