----- Original Message -----
> From: Aneesh Dogra <[email protected]>
> To: [email protected]
> Cc: Aneesh Dogra <[email protected]>
> Sent: Sunday, December 18, 2011 7:54 AM
> Subject: [libav-devel] [PATCH] xl: Fix Over Reads
>
> While reading a fuzzed bitsream , the decoder can read past the end of the
> bitstream causing invalid reads.
> ---
> libavcodec/xl.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/libavcodec/xl.c b/libavcodec/xl.c
> index 197b0c2..077b022 100644
> --- a/libavcodec/xl.c
> +++ b/libavcodec/xl.c
> @@ -44,6 +44,7 @@ static int decode_frame(AVCodecContext *avctx,
> {
> const uint8_t *buf = avpkt->data;
> int buf_size = avpkt->size;
> + const uint8_t *buf_end = avpkt->data + avpkt->size;
Nit: I'd propose
const uint8_t *buf_end = buf + buf_size;
> VideoXLContext * const a = avctx->priv_data;
> AVFrame * const p= (AVFrame*)&a->pic;
> uint8_t *Y, *U, *V;
> @@ -70,6 +71,8 @@ static int decode_frame(AVCodecContext *avctx,
> stride = avctx->width - 4;
> for (i = 0; i < avctx->height; i++) {
> /* lines are stored in reversed order */
> + if(buf + stride > buf_end)
> + break;
I believe we should return an error in case of buffer run-out,
instead of simply breaking out of the loop.
> buf += stride;
>
> for (j = 0; j < avctx->width; j += 4) {
> @@ -108,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx,
> V[j >> 2] = c1 << 1;
> }
>
> + if (buf + avctx->width + 4 > buf_end)
> + break;
Same as above applies here too.
> buf += avctx->width + 4;
> Y += a->pic.linesize[0];
> U += a->pic.linesize[1];
> --
> 1.7.4.1
>
I may be wrong though, would like to have a second opinion.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
