[libav-devel] [PATCH] 4xm: Prevent buffer overreads

[Aneesh Dogra]

4xm decoder while decoding i2 frames can overread the buffer if proper checks
are not made.

Note: The fate ref file is also updated with correct framecrc's.
---
 libavcodec/4xm.c     |   14 +++-
 tests/ref/fate/4xm-2 |  189 ++++----------------------------------------------
 2 files changed, 26 insertions(+), 177 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index cfb8279..d16c232 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -614,16 +614,24 @@ static int decode_i2_frame(FourXContext *f, const uint8_t 
*buf, int length){
     int x, y, x2, y2;
     const int width= f->avctx->width;
     const int height= f->avctx->height;
+    const int mbs = FFALIGN(width, 16) * FFALIGN(height, 16);
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
+    GetByteContext g3;
+
+    if(length < mbs * 8) {
+        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+    bytestream2_init(&g3, buf, length);

     for(y=0; y<height; y+=16){
         for(x=0; x<width; x+=16){
             unsigned int color[4], bits;
             memset(color, 0, sizeof(color));
 //warning following is purely guessed ...
-            color[0]= bytestream_get_le16(&buf);
-            color[1]= bytestream_get_le16(&buf);
+            color[0]= bytestream2_get_le16u(&g3);
+            color[1]= bytestream2_get_le16u(&g3);

             if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n");
             if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n");
@@ -631,7 +639,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t 
*buf, int length){
             color[2]= mix(color[0], color[1]);
             color[3]= mix(color[1], color[0]);

-            bits= bytestream_get_le32(&buf);
+            bits= bytestream2_get_le32u(&g3);
             for(y2=0; y2<16; y2++){
                 for(x2=0; x2<16; x2++){
                     int index= 2*(x2>>2) + 8*(y2>>2);
diff --git a/tests/ref/fate/4xm-2 b/tests/ref/fate/4xm-2
index 4037f28..5e66dcc 100644
--- a/tests/ref/fate/4xm-2
+++ b/tests/ref/fate/4xm-2
@@ -1,174 +1,15 @@
-0, 0, 80640, 0x00000000
-0, 15000, 80640, 0x3a942680
-0, 30000, 80640, 0x3a942680
-0, 45000, 80640, 0x3a942680
-0, 60000, 80640, 0x3a942680
-0, 75000, 80640, 0x3a942680
-0, 90000, 80640, 0x3a942680
-0, 105000, 80640, 0x1956ebfc
-0, 120000, 80640, 0x61686290
-0, 135000, 80640, 0x7e2c2753
-0, 150000, 80640, 0x63e5e14f
-0, 165000, 80640, 0xa775947a
-0, 180000, 80640, 0x4b91b93d
-0, 195000, 80640, 0x83345f32
-0, 210000, 80640, 0x5d3a3374
-0, 225000, 80640, 0x164808c5
-0, 240000, 80640, 0xfd0189af
-0, 255000, 80640, 0x062f9389
-0, 270000, 80640, 0xe4dcaff8
-0, 285000, 80640, 0xb2d9ec51
-0, 300000, 80640, 0x3b4d5331
-0, 315000, 80640, 0xfcbd8da1
-0, 330000, 80640, 0xa0732142
-0, 345000, 80640, 0x6438df5f
-0, 360000, 80640, 0x614302fa
-0, 375000, 80640, 0x53edf986
-0, 390000, 80640, 0x6dfe13f0
-0, 405000, 80640, 0x0b2194c3
-0, 420000, 80640, 0xe0436945
-0, 435000, 80640, 0x8d8ba77f
-0, 450000, 80640, 0x9c723388
-0, 465000, 80640, 0x336bd2a2
-0, 480000, 80640, 0x5905fd0b
-0, 495000, 80640, 0x2ca368bb
-0, 510000, 80640, 0x38c1e5ec
-0, 525000, 80640, 0xe439a194
-0, 540000, 80640, 0xe7a19a64
-0, 555000, 80640, 0xbe7f9094
-0, 570000, 80640, 0x0b2cbec9
-0, 585000, 80640, 0x8050bf7d
-0, 600000, 80640, 0x4e9d4e78
-0, 615000, 80640, 0xaa7bb85d
-0, 630000, 80640, 0x6e42b1a6
-0, 645000, 80640, 0x27043fe0
-0, 660000, 80640, 0xe04bd5e6
-0, 675000, 80640, 0xd60762d6
-0, 690000, 80640, 0x2729df8f
-0, 705000, 80640, 0x1b62c4f7
-0, 720000, 80640, 0xe6b5d2f7
-0, 735000, 80640, 0xf5885096
-0, 750000, 80640, 0xe7625cf6
-0, 765000, 80640, 0xed804de6
-0, 780000, 80640, 0x3f92728e
-0, 795000, 80640, 0x353e4b0d
-0, 810000, 80640, 0x70b0228c
-0, 825000, 80640, 0x851bd554
-0, 840000, 80640, 0x594f22eb
-0, 855000, 80640, 0xa2267c0b
-0, 870000, 80640, 0xdc0fbafb
-0, 885000, 80640, 0xd596b763
-0, 900000, 80640, 0x3b9c4b1b
-0, 915000, 80640, 0x218ac4b4
-0, 930000, 80640, 0x4af393a4
-0, 945000, 80640, 0x66c098c5
-0, 960000, 80640, 0x7cc91e86
-0, 975000, 80640, 0xba282a2e
-0, 990000, 80640, 0x50932be6
-0, 1005000, 80640, 0x6531386e
-0, 1020000, 80640, 0x2616235f
-0, 1035000, 80640, 0x27aad18a
-0, 1050000, 80640, 0x67491df3
-0, 1065000, 80640, 0x167028f1
-0, 1080000, 80640, 0xa4229420
-0, 1095000, 80640, 0x77eaed07
-0, 1110000, 80640, 0xbdf7d8e8
-0, 1125000, 80640, 0xc2ac8545
-0, 1140000, 80640, 0xf3fe64ec
-0, 1155000, 80640, 0x66451d43
-0, 1170000, 80640, 0x1af2f05e
-0, 1185000, 80640, 0x2a63c2c4
-0, 1200000, 80640, 0xe4e07a0f
-0, 1215000, 80640, 0x598e8b11
-0, 1230000, 80640, 0xb2ebb868
-0, 1245000, 80640, 0xa4b6bb8a
-0, 1260000, 80640, 0x5037e910
-0, 1275000, 80640, 0x0c55f6c0
-0, 1290000, 80640, 0x3f4704f7
-0, 1305000, 80640, 0xa6a8e810
-0, 1320000, 80640, 0xedbfcfb0
-0, 1335000, 80640, 0xe568caa0
-0, 1350000, 80640, 0xdf21cc20
-0, 1365000, 80640, 0xb66cd4a8
-0, 1380000, 80640, 0xcd26c9c8
-0, 1395000, 80640, 0x5fe8d598
-0, 1410000, 80640, 0xed0dc9c8
-0, 1425000, 80640, 0x8313d288
-0, 1440000, 80640, 0x9ccdd4a0
-0, 1455000, 80640, 0x66ffe970
-0, 1470000, 80640, 0xf68ad1c8
-0, 1485000, 80640, 0xd570f658
-0, 1500000, 80640, 0x8c39d998
-0, 1515000, 80640, 0xe18fe5e0
-0, 1530000, 80640, 0xbbe7e340
-0, 1545000, 80640, 0x9a90d470
-0, 1560000, 80640, 0xd2bbced0
-0, 1575000, 80640, 0xbbf9dce0
-0, 1590000, 80640, 0x4ff7c888
-0, 1605000, 80640, 0xc2e7e1f0
-0, 1620000, 80640, 0x2104e3b0
-0, 1635000, 80640, 0xaef5e8f0
-0, 1650000, 80640, 0xc477e890
-0, 1665000, 80640, 0xb12df778
-0, 1680000, 80640, 0xd2115720
-0, 1695000, 80640, 0x620b6538
-0, 1710000, 80640, 0x894a8db8
-0, 1725000, 80640, 0x8da3bcb0
-0, 1740000, 80640, 0x96be8930
-0, 1755000, 80640, 0xe69dc1f0
-0, 1770000, 80640, 0x42b8d4e0
-0, 1785000, 80640, 0x0a8da4f0
-0, 1800000, 80640, 0x245fd3d8
-0, 1815000, 80640, 0x3fd1e858
-0, 1830000, 80640, 0xe2c299f0
-0, 1845000, 80640, 0xda1cddd0
-0, 1860000, 80640, 0xf126e498
-0, 1875000, 80640, 0xc85ab920
-0, 1890000, 80640, 0x52f39de8
-0, 1905000, 80640, 0xd0daac60
-0, 1920000, 80640, 0xef323347
-0, 1935000, 80640, 0xcc063317
-0, 1950000, 80640, 0xb6f53057
-0, 1965000, 80640, 0x5fe53b07
-0, 1980000, 80640, 0x63183d7f
-0, 1995000, 80640, 0x91a44bbf
-0, 2010000, 80640, 0xa433480f
-0, 2025000, 80640, 0xe90652ef
-0, 2040000, 80640, 0xe96e35bf
-0, 2055000, 80640, 0x84ff2ccf
-0, 2070000, 80640, 0x930f2b07
-0, 2085000, 80640, 0x5a1228d7
-0, 2100000, 80640, 0x29f226ef
-0, 2115000, 80640, 0xd35136df
-0, 2130000, 80640, 0x0e2d407f
-0, 2145000, 80640, 0x34a93267
-0, 2160000, 80640, 0x7ae82af7
-0, 2175000, 80640, 0xb20c2477
-0, 2190000, 80640, 0xa104218f
-0, 2205000, 80640, 0xcb1121e7
-0, 2220000, 80640, 0xaca04751
-0, 2235000, 80640, 0x3a51c704
-0, 2250000, 80640, 0xfa632e3d
-0, 2265000, 80640, 0x61c9407c
-0, 2280000, 80640, 0xe9a08dd9
-0, 2295000, 80640, 0xebf3c623
-0, 2310000, 80640, 0x00000000
-0, 2325000, 80640, 0x0f412500
-0, 2340000, 80640, 0x0f412500
-0, 2355000, 80640, 0x0f412500
-0, 2370000, 80640, 0xb6634270
-0, 2385000, 80640, 0x9e43a4a0
-0, 2400000, 80640, 0x136ab60b
-0, 2415000, 80640, 0x6ce3254e
-0, 2430000, 80640, 0xf4340d15
-0, 2445000, 80640, 0x73861114
-0, 2460000, 80640, 0x36b300d3
-0, 2475000, 80640, 0x2ddde523
-0, 2490000, 80640, 0xfdd79c02
-0, 2505000, 80640, 0xe6cc4fe9
-0, 2520000, 80640, 0x5b13e2b9
-0, 2535000, 80640, 0x0d588e70
-0, 2550000, 80640, 0xc6e4023f
-0, 2565000, 80640, 0xf54c496f
-0, 2580000, 80640, 0xa315a5cf
-0, 2595000, 80640, 0x2d2ac9c7
+0, 0, 921600, 0xd08f97c7
+0, 6000, 921600, 0xc433a85b
+0, 12000, 921600, 0x7ffeee42
+0, 18000, 921600, 0xc0ad9f52
+0, 24000, 921600, 0xb0235112
+0, 30000, 921600, 0xcbdd9805
+0, 36000, 921600, 0x5468bdb9
+0, 42000, 921600, 0x2f0c63fd
+0, 48000, 921600, 0xf1de04f0
+0, 54000, 921600, 0x95709ce2
+0, 60000, 921600, 0x69037c4a
+0, 66000, 921600, 0x513f8a98
+0, 72000, 921600, 0x55b82fa1
+0, 78000, 921600, 0x5c8ace28
+0, 84000, 921600, 0xb019770a
--
1.7.7.3

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel