On 01/26/2012 06:42 PM, Alex Converse wrote:
> In the fate sample field_size is larger than the number of bytes
> remaining in the buffer. Furthermore the bytes to bits conversion was
> prone to integer overflow when sizing the GetBitContext.
>
> Fixes CVE-2011-3947
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> ---
> libavcodec/mjpegbdec.c | 7 +++++--
> 1 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
> index 4ad17ab..e0dc5e1 100644
> --- a/libavcodec/mjpegbdec.c
> +++ b/libavcodec/mjpegbdec.c
> @@ -59,6 +59,9 @@ read_header:
> s->restart_count = 0;
> s->mjpb_skiptosod = 0;
>
> + if (buf_end - buf_ptr > 1 << 28)
> + return AVERROR_INVALIDDATA;
change > to >=
> +
> init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);
>
> skip_bits(&hgb, 32); /* reserved zeros */
> @@ -111,8 +114,8 @@ read_header:
> av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
> if (sos_offs)
> {
> -// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
> - init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
> + init_get_bits(&s->gb, buf_ptr + sos_offs,
> + 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
> s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
> s->start_code = SOS;
> if (ff_mjpeg_decode_sos(s, NULL, NULL) < 0 &&
rest looks ok.
-Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
