[FFmpeg-devel] [PATCH] interplayacm: check for too large b
Paul B Mahol
onemda at gmail.com
Sun Oct 30 23:16:52 EET 2016
On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
> This fixes out-of-bounds reads.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/interplayacm.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
> index 0fd3501..0486e00 100644
> --- a/libavcodec/interplayacm.c
> +++ b/libavcodec/interplayacm.c
> @@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind,
> unsigned col)
> for (i = 0; i < s->rows; i++) {
> /* b = (x1) + (x2 * 3) + (x3 * 9) */
> b = get_bits(gb, 5);
> + if (b > 26) {
> + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
> + return AVERROR_INVALIDDATA;
> + }
>
> n1 = (mul_3x3[b] & 0x0F) - 1;
> n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
> @@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind,
> unsigned col)
> for (i = 0; i < s->rows; i++) {
> /* b = (x1) + (x2 * 5) + (x3 * 25) */
> b = get_bits(gb, 7);
> + if (b > 124) {
> + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
> + return AVERROR_INVALIDDATA;
> + }
>
> n1 = (mul_3x5[b] & 0x0F) - 2;
> n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
> @@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind,
> unsigned col)
> for (i = 0; i < s->rows; i++) {
> /* b = (x1) + (x2 * 11) */
> b = get_bits(gb, 7);
> + if (b > 120) {
> + av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
> + return AVERROR_INVALIDDATA;
> + }
>
> n1 = (mul_2x11[b] & 0x0F) - 5;
> n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;
> --
> 2.10.1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
probably ok.
More information about the ffmpeg-devel
mailing list