Re: [libav-devel] [PATCH 1/2] vqavideo: check chunk sizes before reading chunks

Sun, 17 Feb 2013 01:12:36 -0800 

On Sun, 17 Feb 2013 09:43:31 +0100, Reinhard Tartler <[email protected]> 
wrote:
> From: Michael Niedermayer <[email protected]>
> 
> Fixes out of array writes
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Signed-off-by: Michael Niedermayer <[email protected]>
> (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
> 
> Signed-off-by: Michael Niedermayer <[email protected]>
> (cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660)
> 
> Signed-off-by: Reinhard Tartler <[email protected]>
> ---
>  libavcodec/vqavideo.c |   10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
> index 22b024c..0d3b4b2 100644
> --- a/libavcodec/vqavideo.c
> +++ b/libavcodec/vqavideo.c
> @@ -532,6 +532,11 @@ static int vqa_decode_chunk(VqaContext *s)
>          bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET);
>          chunk_size = bytestream2_get_be32(&s->gb);
>  
> +        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
> +            av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X 
> bytes)\n", chunk_size);
> +            return AVERROR_INVALIDDATA;
> +        }
> +
>          /* accumulate partial codebook */
>          bytestream2_get_buffer(&s->gb, 
> &s->next_codebook_buffer[s->next_codebook_buffer_index],
>                                 chunk_size);
> @@ -555,6 +560,11 @@ static int vqa_decode_chunk(VqaContext *s)
>          bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET);
>          chunk_size = bytestream2_get_be32(&s->gb);
>  
> +        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
> +            av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X 
> bytes)\n", chunk_size);
> +            return AVERROR_INVALIDDATA;
> +        }
> +
>          /* accumulate partial codebook */
>          bytestream2_get_buffer(&s->gb, 
> &s->next_codebook_buffer[s->next_codebook_buffer_index],
>                                 chunk_size);
> -- 
> 1.7.9.5
> 

Looks basically fine, except for two nits -- 1) long lines 2)chunk size printed
in hex for no apparrent reason.

-- 
Anton Khirnov
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to