On 30.10.2016 22:18, Paul B Mahol wrote:
> On 10/30/16, Andreas Cadhalpun <andreas.cadhal...@googlemail.com> wrote:
>> This fixes out-of-bounds reads by the bitstream reader.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>> libavcodec/interplayacm.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
>> index 0486e00..f4a3446 100644
>> --- a/libavcodec/interplayacm.c
>> +++ b/libavcodec/interplayacm.c
>> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
>> s->block = av_calloc(s->block_len, sizeof(int));
>> s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
>> s->ampbuf = av_calloc(0x10000, sizeof(int));
>> - s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
>> + s->bitstream = av_calloc(s->max_framesize +
>> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1,
>
> How did you came up with this fix?
> Little background would help.
The out-of-bounds read happens in get_bits called from linear.
The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index].
The get_bits documentation says:
/**
* Initialize GetBitContext.
* @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE bytes
* larger than the actual read bits because some optimized bitstream
* readers read 32 or 64 bit at once and could read over the end
* @param byte_size the size of the buffer in bytes
* @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow.
*/
static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer,
int byte_size)
Increasing the buffer size fixed the problem, so the case seems quite clear.
Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
