On Sun, Oct 14, 2018 at 11:03:29AM -0300, James Almer wrote: > On 10/14/2018 10:43 AM, Michael Niedermayer wrote: > > Fixes: out of array read > > Fixes: SIGSEGV_get_obu_bit_length_av1_parse > > > > Found-by: keval shah <skeva...@gmail.com> > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/av1_parse.h | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/av1_parse.h b/libavcodec/av1_parse.h > > index 276af33ba9..312d8825e1 100644 > > --- a/libavcodec/av1_parse.h > > +++ b/libavcodec/av1_parse.h > > @@ -130,6 +130,9 @@ static inline int parse_obu_header(const uint8_t *buf, > > int buf_size, > > if (get_bits_left(&gb) < 0) > > return AVERROR_INVALIDDATA; > > > > + if (*obu_size > (uint64_t)buf_size - get_bits_count(&gb) / 8) > > + return AVERROR_INVALIDDATA; > > + > > *start_pos = get_bits_count(&gb) / 8; > > > > size = *obu_size + *start_pos; > > Right below this line there's the check > > if (size > INT_MAX) > return AVERROR(ERANGE); > > So i think you could just change it to "size > (int64_t)buf_size" and > achieve the same effect without adding an extra check.
ive written it a bit overly defensive, not assuming any range limitation of leb128(). But you are correct, ill simplify and repost it thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB "Nothing to hide" only works if the folks in power share the values of you and everyone you know entirely and always will -- Tom Scott
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
