Re: [libav-devel] [PATCH] Fix invalid reads in kmvc.c

Mon, 12 Dec 2011 01:18:11 -0800 

On Mon, Dec 12, 2011 at 02:42:51PM +0530, Gaurav Narula wrote:
> ---
>  libavcodec/kmvc.c |   77 
> ++++++++++++++++++++++++++++++++++++++++++-----------
>  1 files changed, 61 insertions(+), 16 deletions(-)
> 
> diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
> index 07ca194..fd5d67b 100644
> --- a/libavcodec/kmvc.c
> +++ b/libavcodec/kmvc.c
> @@ -57,17 +57,20 @@ typedef struct BitBuf {
>  
>  #define kmvc_init_getbits(bb, src)  bb.bits = 7; bb.bitbuf = *src++;
>  
> -#define kmvc_getbit(bb, src, res) {\
> +#define kmvc_getbit(bb, src, src_end, res) {\
>      res = 0; \
>      if (bb.bitbuf & (1 << bb.bits)) res = 1; \
>      bb.bits--; \
>      if(bb.bits == -1) { \
> +        if (src >= src_end) { \
> +            av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n"); return; \
> +        } \
>          bb.bitbuf = *src++; \
>          bb.bits = 7; \
>      } \
>  }
>  
> -static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, 
> int w, int h)
> +static void kmvc_decode_intra_8x8(KmvcContext * ctx, const uint8_t * src, 
> int src_size, int w, int h)
>  {
>      BitBuf bb;
>      int res, val;
> @@ -75,13 +78,18 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, 
> const uint8_t * src, int w,
>      int bx, by;
>      int l0x, l1x, l0y, l1y;
>      int mx, my;
> +    const uint8_t *src_end = src + src_size;
>  
>      kmvc_init_getbits(bb, src);
>  
>      for (by = 0; by < h; by += 8)
>          for (bx = 0; bx < w; bx += 8) {
> -            kmvc_getbit(bb, src, res);
> +            kmvc_getbit(bb, src, src_end,res);
                          space here please ^
>              if (!res) {         // fill whole 8x8 block
> +                if (src >= src_end) {
> +                    av_log(ctx->avctx, AV_LOG_ERROR, "Data overrun\n");
> +                    return;
> +                }                            
>                  val = *src++;
>                  for (i = 0; i < 64; i++)
>                      BLK(ctx->cur, bx + (i & 0x7), by + (i >> 3)) = val;
> @@ -89,14 +97,22 @@ static void kmvc_decode_intra_8x8(KmvcContext * ctx, 
> const uint8_t * src, int w,
>                  for (i = 0; i < 4; i++) {
>                      l0x = bx + (i & 1) * 4;
>                      l0y = by + (i & 2) * 2;
> -                    kmvc_getbit(bb, src, res);
> +                    kmvc_getbit(bb, src, src_end,res);

and here and below

Also it would be nice to return some real value from kmvc_decode_* (0 or
AVERROR_INVALIDDATA) but in general patch looks good to me.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to