[FFmpeg-devel] [PATCH] interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE

Paul B Mahol onemda at gmail.com
Mon Oct 31 09:33:33 EET 2016


On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
> On 30.10.2016 22:18, Paul B Mahol wrote:
>> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
>>> This fixes out-of-bounds reads by the bitstream reader.
>>>
>>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>>> ---
>>>  libavcodec/interplayacm.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
>>> index 0486e00..f4a3446 100644
>>> --- a/libavcodec/interplayacm.c
>>> +++ b/libavcodec/interplayacm.c
>>> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
>>>      s->block   = av_calloc(s->block_len, sizeof(int));
>>>      s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
>>>      s->ampbuf  = av_calloc(0x10000, sizeof(int));
>>> -    s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
>>> +    s->bitstream = av_calloc(s->max_framesize +
>>> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1,
>>
>> How did you came up with this fix?
>> Little background would help.
>
> The out-of-bounds read happens in get_bits called from linear.
> The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index].
> The get_bits documentation says:
> /**
>  * Initialize GetBitContext.
>  * @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE
> bytes
>  *        larger than the actual read bits because some optimized bitstream
>  *        readers read 32 or 64 bit at once and could read over the end
>  * @param byte_size the size of the buffer in bytes
>  * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would
> overflow.
>  */
> static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer,
>                                  int byte_size)
>
> Increasing the buffer size fixed the problem, so the case seems quite clear.
>
> Best regards,
> Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

ok


More information about the ffmpeg-devel mailing list