[FFmpeg-cvslog] apedec: prevent out of array writes in decode_array_0000
ffmpeg | branch: release/2.2 | Andreas Cadhalpun | Tue Apr 28 11:13:43 2015 +0200| [bb519be5e6c6600ea40a1f86d036aa05155746a2] | committer: Michael Niedermayer apedec: prevent out of array writes in decode_array_ s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_ to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb519be5e6c6600ea40a1f86d036aa05155746a2 --- libavcodec/apedec.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 58072d4..370f1ab 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -598,14 +598,14 @@ static void decode_array_(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; -for (i = 0; i < 5; i++) { +for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; -for (; i < 64; i++) { +for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] apedec: prevent out of array writes in decode_array_0000
ffmpeg | branch: release/2.5 | Andreas Cadhalpun | Tue Apr 28 11:13:43 2015 +0200| [c946f2cc83cf33bd01e8de168e0345a05f68b2ce] | committer: Michael Niedermayer apedec: prevent out of array writes in decode_array_ s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_ to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c946f2cc83cf33bd01e8de168e0345a05f68b2ce --- libavcodec/apedec.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 2ccbdc8..577d0aa 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -601,14 +601,14 @@ static void decode_array_(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; -for (i = 0; i < 5; i++) { +for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; -for (; i < 64; i++) { +for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] apedec: prevent out of array writes in decode_array_0000
ffmpeg | branch: release/2.4 | Andreas Cadhalpun | Tue Apr 28 11:13:43 2015 +0200| [4e4708ad8093151b2b79276b7c2950a4462108b4] | committer: Michael Niedermayer apedec: prevent out of array writes in decode_array_ s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_ to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e4708ad8093151b2b79276b7c2950a4462108b4 --- libavcodec/apedec.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 383b7fe..8607214 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -601,14 +601,14 @@ static void decode_array_(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; -for (i = 0; i < 5; i++) { +for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; -for (; i < 64; i++) { +for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] apedec: prevent out of array writes in decode_array_0000
ffmpeg | branch: release/2.6 | Andreas Cadhalpun | Tue Apr 28 11:13:43 2015 +0200| [9f2c8734b9c3f963dd85c527ee0b588aebb21e17] | committer: Andreas Cadhalpun apedec: prevent out of array writes in decode_array_ s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_ to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f2c8734b9c3f963dd85c527ee0b588aebb21e17 --- libavcodec/apedec.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index ffd54c1..03afd75 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -592,14 +592,14 @@ static void decode_array_(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; -for (i = 0; i < 5; i++) { +for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; -for (; i < 64; i++) { +for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] apedec: prevent out of array writes in decode_array_0000
ffmpeg | branch: master | Andreas Cadhalpun | Tue Apr 28 11:13:43 2015 +0200| [699341d647f7af785fb8ceed67604467b0b9ab12] | committer: Michael Niedermayer apedec: prevent out of array writes in decode_array_ s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_ to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=699341d647f7af785fb8ceed67604467b0b9ab12 --- libavcodec/apedec.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index ffd54c1..03afd75 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -592,14 +592,14 @@ static void decode_array_(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; -for (i = 0; i < 5; i++) { +for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; -for (; i < 64; i++) { +for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog