ffmpeg | branch: release/0.10 | Diego Biurrun <di...@biurrun.de> | Sun Aug 3
12:19:10 2014 -0700| [4a6622550a4a4bf4690ea7d9fe42210a30a67936] | committer:
Diego Biurrun
huffyuv: Check and propagate function return values
Bug-Id: CVE-2013-0868
inspired by a patch from Michael Niedermayer <michae...@gmx.at>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18)
Signed-off-by: Diego Biurrun <di...@biurrun.de>
Conflicts:
libavcodec/huffyuvdec.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a6622550a4a4bf4690ea7d9fe42210a30a67936
---
libavcodec/huffyuv.c | 94 +++++++++++++++++++++++++++++++-------------------
1 file changed, 58 insertions(+), 36 deletions(-)
diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
index f9e101d..0933575 100644
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -273,10 +273,12 @@ static void generate_len_table(uint8_t *dst, const
uint64_t *stats){
}
#endif /* CONFIG_HUFFYUV_ENCODER || CONFIG_FFVHUFF_ENCODER */
-static void generate_joint_tables(HYuvContext *s){
+static int generate_joint_tables(HYuvContext *s){
uint16_t symbols[1<<VLC_BITS];
uint16_t bits[1<<VLC_BITS];
uint8_t len[1<<VLC_BITS];
+ int ret;
+
if(s->bitstream_bpp < 24){
int p, i, y, u;
for(p=0; p<3; p++){
@@ -297,7 +299,9 @@ static void generate_joint_tables(HYuvContext *s){
}
}
ff_free_vlc(&s->vlc[3+p]);
- ff_init_vlc_sparse(&s->vlc[3+p], VLC_BITS, i, len, 1, 1, bits, 2,
2, symbols, 2, 2, 0);
+ if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1,
1,
+ bits, 2, 2, symbols, 2, 2, 0)) < 0)
+ return ret;
}
}else{
uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map;
@@ -338,27 +342,33 @@ static void generate_joint_tables(HYuvContext *s){
}
}
ff_free_vlc(&s->vlc[3]);
- init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0);
+ if ((ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1,
+ bits, 2, 2, 0)) < 0)
+ return ret;
}
+ return 0;
}
static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
GetBitContext gb;
- int i;
+ int i, ret;
- init_get_bits(&gb, src, length*8);
+ if ((ret = init_get_bits(&gb, src, length * 8)) < 0)
+ return ret;
for(i=0; i<3; i++){
- if(read_len_table(s->len[i], &gb)<0)
- return -1;
- if(generate_bits_table(s->bits[i], s->len[i])<0){
- return -1;
- }
+ if ((ret = read_len_table(s->len[i], &gb)) < 0)
+ return ret;
+ if ((ret = generate_bits_table(s->bits[i], s->len[i])) < 0)
+ return ret;
ff_free_vlc(&s->vlc[i]);
- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4,
0);
+ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+ s->bits[i], 4, 4, 0)) < 0)
+ return ret;
}
- generate_joint_tables(s);
+ if ((ret = generate_joint_tables(s)) < 0)
+ return ret;
return (get_bits_count(&gb)+7)/8;
}
@@ -366,14 +376,18 @@ static int read_huffman_tables(HYuvContext *s, const
uint8_t *src, int length){
static int read_old_huffman_tables(HYuvContext *s){
#if 1
GetBitContext gb;
- int i;
-
- init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
- if(read_len_table(s->len[0], &gb)<0)
- return -1;
- init_get_bits(&gb, classic_shift_chroma,
classic_shift_chroma_table_size*8);
- if(read_len_table(s->len[1], &gb)<0)
- return -1;
+ int i, ret;
+
+ if ((ret = init_get_bits(&gb, classic_shift_luma,
+ classic_shift_luma_table_size * 8)) < 0)
+ return ret;
+ if ((ret = read_len_table(s->len[0], &gb)) < 0)
+ return ret;
+ if ((ret = init_get_bits(&gb, classic_shift_chroma,
+ classic_shift_chroma_table_size * 8)) < 0)
+ return ret;
+ if ((ret = read_len_table(s->len[1], &gb)) < 0)
+ return ret;
for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma [i];
for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i];
@@ -387,10 +401,13 @@ static int read_old_huffman_tables(HYuvContext *s){
for(i=0; i<3; i++){
ff_free_vlc(&s->vlc[i]);
- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4,
0);
+ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+ s->bits[i], 4, 4, 0)) < 0)
+ return ret;
}
- generate_joint_tables(s);
+ if ((ret = generate_joint_tables(s)) < 0)
+ return ret;
return 0;
#else
@@ -430,6 +447,7 @@ static av_cold int common_init(AVCodecContext *avctx){
static av_cold int decode_init(AVCodecContext *avctx)
{
HYuvContext *s = avctx->priv_data;
+ int ret;
common_init(avctx);
memset(s->vlc, 0, 3*sizeof(VLC));
@@ -464,8 +482,9 @@ s->bgr32=1;
s->interlaced= (interlace==1) ? 1 : (interlace==2) ? 0 : s->interlaced;
s->context= ((uint8_t*)avctx->extradata)[2] & 0x40 ? 1 : 0;
- if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4,
avctx->extradata_size-4) < 0)
- return -1;
+ if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+ avctx->extradata_size - 4)) < 0)
+ return ret;
}else{
switch(avctx->bits_per_coded_sample&7){
case 1:
@@ -492,8 +511,8 @@ s->bgr32=1;
s->bitstream_bpp= avctx->bits_per_coded_sample & ~7;
s->context= 0;
- if(read_old_huffman_tables(s) < 0)
- return -1;
+ if ((ret = read_old_huffman_tables(s)) < 0)
+ return ret;
}
switch(s->bitstream_bpp){
@@ -529,7 +548,7 @@ s->bgr32=1;
static av_cold int decode_init_thread_copy(AVCodecContext *avctx)
{
HYuvContext *s = avctx->priv_data;
- int i;
+ int i, ret;
avctx->coded_frame= &s->picture;
alloc_temp(s);
@@ -538,11 +557,12 @@ static av_cold int decode_init_thread_copy(AVCodecContext
*avctx)
s->vlc[i].table = NULL;
if(s->version==2){
- if(read_huffman_tables(s, ((uint8_t*)avctx->extradata)+4,
avctx->extradata_size) < 0)
- return -1;
+ if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4,
+ avctx->extradata_size)) < 0)
+ return ret;
}else{
- if(read_old_huffman_tables(s) < 0)
- return -1;
+ if ((ret = read_old_huffman_tables(s)) < 0)
+ return ret;
}
return 0;
@@ -959,7 +979,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
int *data_size, AVPac
const int height= s->height;
int fake_ystride, fake_ustride, fake_vstride;
AVFrame * const p= &s->picture;
- int table_size= 0;
+ int table_size = 0, ret;
AVFrame *picture = data;
@@ -974,21 +994,23 @@ static int decode_frame(AVCodecContext *avctx, void
*data, int *data_size, AVPac
ff_thread_release_buffer(avctx, p);
p->reference= 0;
- if(ff_thread_get_buffer(avctx, p) < 0){
+ if ((ret = ff_thread_get_buffer(avctx, p)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
- return -1;
+ return ret;
}
if(s->context){
table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size);
if(table_size < 0)
- return -1;
+ return table_size;
}
if((unsigned)(buf_size-table_size) >= INT_MAX/8)
return -1;
- init_get_bits(&s->gb, s->bitstream_buffer+table_size,
(buf_size-table_size)*8);
+ if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size,
+ (buf_size - table_size) * 8)) < 0)
+ return ret;
fake_ystride= s->interlaced ? p->linesize[0]*2 : p->linesize[0];
fake_ustride= s->interlaced ? p->linesize[1]*2 : p->linesize[1];
_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
