[FFmpeg-devel] [PATCH v3 1/1] avcodec/wmalosslessdec: Return value check for init_get_bits
maryam ebrahimzadeh
me22bee at outlook.com
Sat Aug 28 22:23:14 EEST 2021
avcodec/wmalosslessdec: Return value check for init_get_bits
Similar to CVE-2021-38171 as the second argument for init_get_bits(avpkt and buf)
can be crafted, a return value check for this function call is necessary.
Also replace init_get_bits with init_get_bits8.
---
libavcodec/wmalosslessdec.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 74c91f4f7e..9de60b61c3 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1187,6 +1187,7 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
const uint8_t* buf = avpkt->data;
int buf_size = avpkt->size;
int num_bits_prev_frame, packet_sequence_number, spliced_packet;
+ int ret;
s->frame->nb_samples = 0;
@@ -1205,7 +1206,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
s->buf_bit_size = buf_size << 3;
/* parse packet header */
- init_get_bits(gb, buf, s->buf_bit_size);
+ ret = init_get_bits8(gb, buf, buf_size);
+ if (ret < 0)
+ return ret;
packet_sequence_number = get_bits(gb, 4);
skip_bits(gb, 1); // Skip seekable_frame_in_packet, currently unused
spliced_packet = get_bits1(gb);
@@ -1256,7 +1259,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
int frame_size;
s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
- init_get_bits(gb, avpkt->data, s->buf_bit_size);
+ ret = init_get_bits8(gb, avpkt->data, (avpkt->size - s->next_packet_start));
+ if (ret < 0)
+ return ret;
skip_bits(gb, s->packet_offset);
if (s->len_prefix && remaining_bits(s, gb) > s->log2_frame_size &&
--
2.17.1
More information about the ffmpeg-devel
mailing list