Module: libav Branch: release/0.7 Commit: 03ddc260668beaf62f6f7fe64a08b5a71be5bb27
Author: Michael Niedermayer <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Sat Mar 24 17:43:55 2012 +0100 indeo5dec: Make sure we have had a valid gop header. This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <[email protected]> (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Conflicts: libavcodec/ivi_common.c libavcodec/ivi_common.h --- libavcodec/indeo5.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index e12cd61..bb491fe 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -76,6 +76,8 @@ typedef struct { int is_scalable; uint32_t lock_word; IVIPicConfig pic_conf; + + int gop_invalid; } IVI5DecContext; @@ -335,8 +337,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - if (decode_gop_header(ctx, avctx)) - return -1; + ctx->gop_invalid = 1; + if (decode_gop_header(ctx, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + return AVERROR_INVALIDDATA; + } + ctx->gop_invalid = 0; } if (ctx->frame_type != FRAMETYPE_NULL) { @@ -759,6 +765,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, "Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
