[FFmpeg-devel] [PATCH] interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
Paul B Mahol
onemda at gmail.com
Mon Oct 31 09:33:33 EET 2016
On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
> On 30.10.2016 22:18, Paul B Mahol wrote:
>> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
>>> This fixes out-of-bounds reads by the bitstream reader.
>>>
>>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>>> ---
>>> libavcodec/interplayacm.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
>>> index 0486e00..f4a3446 100644
>>> --- a/libavcodec/interplayacm.c
>>> +++ b/libavcodec/interplayacm.c
>>> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
>>> s->block = av_calloc(s->block_len, sizeof(int));
>>> s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
>>> s->ampbuf = av_calloc(0x10000, sizeof(int));
>>> - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
>>> + s->bitstream = av_calloc(s->max_framesize +
>>> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1,
>>
>> How did you came up with this fix?
>> Little background would help.
>
> The out-of-bounds read happens in get_bits called from linear.
> The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index].
> The get_bits documentation says:
> /**
> * Initialize GetBitContext.
> * @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE
> bytes
> * larger than the actual read bits because some optimized bitstream
> * readers read 32 or 64 bit at once and could read over the end
> * @param byte_size the size of the buffer in bytes
> * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would
> overflow.
> */
> static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer,
> int byte_size)
>
> Increasing the buffer size fixed the problem, so the case seems quite clear.
>
> Best regards,
> Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
ok
More information about the ffmpeg-devel
mailing list