On Fri, Nov 25, 2016 at 02:26:24AM +0100, Andreas Cadhalpun wrote:
> On 25.11.2016 01:38, Michael Niedermayer wrote:
> > On Fri, Nov 25, 2016 at 12:03:30AM +0100, Andreas Cadhalpun wrote:
> >> mss2.c | 13 ++++++++++---
> >> 1 file changed, 10 insertions(+), 3 deletions(-)
> >> 884b912643244a4205bac63faedfa0c048bcc97a
> >> 0001-mss2-only-use-error-correction-for-matching-block-co.patch
> >> From df9241d8b575cc0fbf570e714c586ff37a4821fd Mon Sep 17 00:00:00 2001
> >> From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> >> Date: Thu, 24 Nov 2016 23:57:46 +0100
> >> Subject: [PATCH] mss2: only use error correction for matching block counts
> >>
> >> This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
> >> with coded_width/coded_height larger than width/height.
> >>
> >> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> >> ---
> >> libavcodec/mss2.c | 13 ++++++++++---
> >> 1 file changed, 10 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c
> >> index 1e24568..62761e8 100644
> >> --- a/libavcodec/mss2.c
> >> +++ b/libavcodec/mss2.c
> >> @@ -409,8 +409,6 @@ static int decode_wmv9(AVCodecContext *avctx, const
> >> uint8_t *buf, int buf_size,
> >> return ret;
> >> }
> >>
> >> - ff_mpeg_er_frame_start(s);
> >> -
> >> v->bits = buf_size * 8;
> >>
> >> v->end_mb_x = (w + 15) >> 4;
> >> @@ -420,9 +418,18 @@ static int decode_wmv9(AVCodecContext *avctx, const
> >> uint8_t *buf, int buf_size,
> >> if (v->respic & 2)
> >> s->end_mb_y = s->end_mb_y + 1 >> 1;
> >>
> >> + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) {
> >> + ff_mpeg_er_frame_start(s);
> >> + } else {
> >> + av_log(v->s.avctx, AV_LOG_WARNING,
> >> + "disabling error correction due to block count mismatch
> >> %dx%d != %dx%d\n",
> >> + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height);
> >> + }
> >> +
> >> ff_vc1_decode_blocks(v);
> >>
> >> - ff_er_frame_end(&s->er);
> >> + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height)
> >> + ff_er_frame_end(&s->er);
> >
> > there are still ff_er_add_slice() calls in the block decode code i think
> > It seems not to matter but skiping just ff_er_frame_end() and
> > not ff_mpeg_er_frame_start() feels less inconsistent
>
> OK, update patch is attached.
>
> Best regards,
> Andreas> mss2.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > 958ee0811485404a0662a1540fcb8b131423947b > 0001-mss2-only-use-error-correction-for-matching-block-co.patch > From 6d8b5136c67f3a8cb3f4a4c818f311d748bbab5d Mon Sep 17 00:00:00 2001 > From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > Date: Thu, 24 Nov 2016 23:57:46 +0100 > Subject: [PATCH] mss2: only use error correction for matching block counts > > This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 > with coded_width/coded_height larger than width/height. > > Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > --- > libavcodec/mss2.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) LGTM thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB When the tyrant has disposed of foreign enemies by conquest or treaty, and there is nothing more to fear from them, then he is always stirring up some war or other, in order that the people may require a leader. -- Plato
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
