Hi,
On Sat, Dec 17, 2011 at 5:54 PM, Aneesh Dogra <[email protected]> wrote:
> While reading a fuzzed bitsream , the decoder can read past the end of the
> bitstream causing invalid reads.
> ---
> libavcodec/xl.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/libavcodec/xl.c b/libavcodec/xl.c
> index 197b0c2..077b022 100644
> --- a/libavcodec/xl.c
> +++ b/libavcodec/xl.c
> @@ -44,6 +44,7 @@ static int decode_frame(AVCodecContext *avctx,
> {
> const uint8_t *buf = avpkt->data;
> int buf_size = avpkt->size;
> + const uint8_t *buf_end = avpkt->data + avpkt->size;
> VideoXLContext * const a = avctx->priv_data;
> AVFrame * const p= (AVFrame*)&a->pic;
> uint8_t *Y, *U, *V;
> @@ -70,6 +71,8 @@ static int decode_frame(AVCodecContext *avctx,
> stride = avctx->width - 4;
> for (i = 0; i < avctx->height; i++) {
> /* lines are stored in reversed order */
> + if(buf + stride > buf_end)
> + break;
> buf += stride;
>
> for (j = 0; j < avctx->width; j += 4) {
> @@ -108,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx,
> V[j >> 2] = c1 << 1;
> }
>
> + if (buf + avctx->width + 4 > buf_end)
> + break;
>
So don't forget here that we know in advance how many items will be read in
the loop, and thus how many bytes in total are required. One check per loop
iteration is not necessary, on at the beginning is enough.
Can you figure out yourself how many bytes are needed per loop iteration
and thus what the expected bufsize is for each decode_frame() iteration?
Ronald
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
