[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/1.1 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [1b9a62c357b1e0045b5c1eb6fb6e5f3cdbd979ce] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b9a62c357b1e0045b5c1eb6fb6e5f3cdbd979ce --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index cc9e11b..8beec50 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -98,6 +98,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -339,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/0.10 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [ce219702c3469e16fd1c70fc750a59b71ae8c8d5] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce219702c3469e16fd1c70fc750a59b71ae8c8d5 --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index f4b5439..1890cdd 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -94,6 +94,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -336,10 +339,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/1.2 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [931f4313b2ec2e47bb34b6906ec53df6d3d45f9a] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=931f4313b2ec2e47bb34b6906ec53df6d3d45f9a --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index cb268b8..2200633 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -99,6 +99,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -340,10 +343,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/2.2 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [0d481efb7b81ab2f0491a854a4fd5d8cfb305680] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0d481efb7b81ab2f0491a854a4fd5d8cfb305680 --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 637f3e6..0fcf0fb 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/2.4 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [e2e145db89913e86e9b8573b1b90f001c46dee5e] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2e145db89913e86e9b8573b1b90f001c46dee5e --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 7355c03..5e22556 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (!yuv_palette) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/2.5 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [e0a12b3dc3a252412e91416ebbbf9449e82e4bd0] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0a12b3dc3a252412e91416ebbbf9449e82e4bd0 --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 39604f3..20b9d41 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (!yuv_palette) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: release/2.3 | wm4 | Mon Jan 5 04:45:26 2015 +0100| [f03888b449faf2888a149cae3b340ea13c6f85fa] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f03888b449faf2888a149cae3b340ea13c6f85fa --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 39b0e25..7dbaf17 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
ffmpeg | branch: master | wm4 | Mon Jan 5 04:45:26 2015 +0100| [c9151de7c42553bb145be608df8513c1287f1f24] | committer: Michael Niedermayer avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9151de7c42553bb145be608df8513c1287f1f24 --- libavcodec/dvdsubdec.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index c7d85a6..2423cad 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; +if (start >= buf_size) +return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; -decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); -decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); +if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) +goto fail; +if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) +goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (!yuv_palette) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog