From 251b4655be73f4b5e86d3e81d61abb5787b1262b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 1/2] vcr1: add sanity checks Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8aba7968dd604aae91ee42cbce0be3dad7dceb30) Signed-off-by: Luca Barbato --- libavcodec/vcr1.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c index d0805a3759..42ba7874c7 100644 --- a/libavcodec/vcr1.c +++ b/libavcodec/vcr1.c @@ -50,6 +50,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_YUV410P; + if (avctx->width & 7) { + av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width); + return AVERROR_INVALIDDATA; + } + return 0; } @@ -85,9 +90,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; + if (buf_size < 32) + goto packet_small; + for (i = 0; i < 16; i++) { a->delta[i] = *bytestream++; bytestream++; + buf_size--; } for (y = 0; y < avctx->height; y++) { @@ -98,8 +107,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *cb = &a->picture.data[1][(y >> 2) * a->picture.linesize[1]]; uint8_t *cr = &a->picture.data[2][(y >> 2) * a->picture.linesize[2]]; + if (buf_size < 4 + avctx->width) + goto packet_small; + for (i = 0; i < 4; i++) a->offset[i] = *bytestream++; + buf_size -= 4; offset = a->offset[0] - a->delta[bytestream[2] & 0xF]; for (x = 0; x < avctx->width; x += 4) { @@ -113,8 +126,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, *cr++ = bytestream[1]; bytestream += 4; + buf_size -= 4; } } else { + if (buf_size < avctx->width / 2) + goto packet_small; + offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF]; for (x = 0; x < avctx->width; x += 8) { @@ -128,6 +145,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, luma[7] = offset += a->delta[bytestream[1] >> 4]; luma += 8; bytestream += 4; + buf_size -= 4; } } } @@ -136,6 +154,9 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, *got_frame = 1; return buf_size; +packet_small: + av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; } AVCodec ff_vcr1_decoder = { From 8dc4b2c92e492aa172327d10c926d5ca3a04371c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 2/2] pictordec: break out of both decoding loops when y drops below 0 Otherwise picmemset can get called with negative y, resulting in an invalid write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695) Signed-off-by: Luca Barbato --- libavcodec/pictordec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 16f930730b..f88fc52f1b 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -227,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, if (bits_per_plane == 8) { picmemset_8bpp(s, val, run, &x, &y); if (y < 0) - break; + goto finish; } else { picmemset(s, val, run, &x, &y, &plane, bits_per_plane); } @@ -237,6 +237,7 @@ static int decode_frame(AVCodecContext *avctx, av_log_ask_for_sample(s, "uncompressed image\n"); return avpkt->size; } +finish: *got_frame = 1; *(AVFrame*)data = s->frame;