cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
be767c38af
openbsd-ports/graphics/ffmpeg/patches/patch-libavcodec_cavsdec_c
sthen 57d7ee5a36 Some FFmpeg security and bug fixes from upstream, from Brad: 
- jpegdec: Actually search for and parse RSTn.
- mpeg4: Adjust dummy frame threshold for packed DivX.
- mpeg4: Fix another packed DivX issue.
- jpegdec: Better RSTn skiping.
- Fix memory corruption in case of memory allocation failure.
- cavsdec: Avoid possible crash with crafted input.
- rtp: Fix integer underflow that could allow remote code execution. MSVR-11-008
8
- rtpdec_asf: Fix memleak.
- mp3dec: Dont spam the user on multiple MP3 frames.
- wavpack: Fixed invalid access with corrupted extra bits sub-blocks.
- wavpack: Fixed invalid writes with corrupted bitstreams.
- wavpack: Fixed invalid access with corrupted bitstream.
2011-09-12 21:04:48 +00:00

90 lines
3.4 KiB
Plaintext
Raw Blame History

$OpenBSD: patch-libavcodec_cavsdec_c,v 1.4 2011/09/12 21:04:49 sthen Exp $
- Fix insufficient boundary check. oCERT #2011-002
- Fix some crashes with invalid bitstreams. oCERT #2011-002
- Check run value validity.
- Avoid possible crash with crafted input.
--- libavcodec/cavsdec.c.orig Mon Mar 28 19:23:17 2011
+++ libavcodec/cavsdec.c Thu Sep 8 14:16:46 2011
@@ -115,7 +115,8 @@ static inline int get_ue_code(GetBitContext *gb, int o
static int decode_residual_block(AVSContext *h, GetBitContext *gb,
const struct dec_2dvlc *r, int esc_golomb_order,
int qp, uint8_t *dst, int stride) {
- int i, level_code, esc_code, level, run, mask;
+ int i, esc_code, level, mask;
+ unsigned int level_code, run;
DCTELEM level_buf[65];
uint8_t run_buf[65];
DCTELEM *block = h->block;
@@ -124,18 +125,22 @@ static int decode_residual_block(AVSContext *h, GetBit
level_code = get_ue_code(gb,r->golomb_order);
if(level_code >= ESCAPE_CODE) {
run = ((level_code - ESCAPE_CODE) >> 1) + 1;
+ if(run > 64)
+ return -1;
esc_code = get_ue_code(gb,esc_golomb_order);
level = esc_code + (run > r->max_run ? 1 : r->level_add[run]);
while(level > r->inc_limit)
r++;
mask = -(level_code & 1);
level = (level^mask) - mask;
- } else {
+ } else if (level_code >= 0) {
level = r->rltab[level_code][0];
if(!level) //end of block signal
break;
run = r->rltab[level_code][1];
r += r->rltab[level_code][2];
+ } else {
+ break;
}
level_buf[i] = level;
run_buf[i] = run;
@@ -163,7 +168,7 @@ static inline int decode_residual_inter(AVSContext *h)
/* get coded block pattern */
int cbp= get_ue_golomb(&h->s.gb);
- if(cbp > 63){
+ if(cbp > 63U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
return -1;
}
@@ -189,7 +194,8 @@ static inline int decode_residual_inter(AVSContext *h)
static int decode_mb_i(AVSContext *h, int cbp_code) {
GetBitContext *gb = &h->s.gb;
- int block, pred_mode_uv;
+ unsigned pred_mode_uv;
+ int block;
uint8_t top[18];
uint8_t *left = NULL;
uint8_t *d;
@@ -222,7 +228,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
/* get coded block pattern */
if(h->pic_type == FF_I_TYPE)
cbp_code = get_ue_golomb(gb);
- if(cbp_code > 63){
+ if(cbp_code > 63U){
av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
return -1;
}
@@ -445,6 +451,8 @@ static inline int check_for_slice(AVSContext *h) {
if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
skip_bits_long(gb,24+align);
h->stc = get_bits(gb,8);
+ if (h->stc >= h->mb_height)
+ return 0;
decode_slice_header(h,gb);
return 1;
}
@@ -659,7 +667,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,vo
buf_end = buf + buf_size;
for(;;) {
buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
- if(stc & 0xFFFFFE00)
+ if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
input_size = (buf_end - buf_ptr)*8;
switch(stc) {
Reference in New Issue View Git Blame Copy Permalink