On 10/14/2018 12:18 PM, Michael Niedermayer wrote: > On Sun, Oct 14, 2018 at 11:03:29AM -0300, James Almer wrote: >> On 10/14/2018 10:43 AM, Michael Niedermayer wrote: >>> Fixes: out of array read >>> Fixes: SIGSEGV_get_obu_bit_length_av1_parse >>> >>> Found-by: keval shah <skeva...@gmail.com> >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >>> --- >>> libavcodec/av1_parse.h | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/libavcodec/av1_parse.h b/libavcodec/av1_parse.h >>> index 276af33ba9..312d8825e1 100644 >>> --- a/libavcodec/av1_parse.h >>> +++ b/libavcodec/av1_parse.h >>> @@ -130,6 +130,9 @@ static inline int parse_obu_header(const uint8_t *buf, >>> int buf_size, >>> if (get_bits_left(&gb) < 0) >>> return AVERROR_INVALIDDATA; >>> >>> + if (*obu_size > (uint64_t)buf_size - get_bits_count(&gb) / 8) >>> + return AVERROR_INVALIDDATA; >>> + >>> *start_pos = get_bits_count(&gb) / 8; >>> >>> size = *obu_size + *start_pos; >> >> Right below this line there's the check >> >> if (size > INT_MAX) >> return AVERROR(ERANGE); >> >> So i think you could just change it to "size > (int64_t)buf_size" and >> achieve the same effect without adding an extra check. > > ive written it a bit overly defensive, not assuming any range limitation > of leb128(). > But you are correct, ill simplify and repost it
Make it return AVERROR_INVALIDDATA instead of ERANGE as well while at it. Thanks. > > thx > > > [...] > > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
