From eeade678f0a2bac127aeed2fb68d8717a6463420 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:26:48 +0200 Subject: [PATCH 1/6] avidec: return 0, not packet size from read_packet(). --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 9360e8ea22..b70367fb30 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1122,7 +1122,7 @@ resync: ast->packet_size= 0; } - return size; + return 0; } if ((err = avi_sync(s, 0)) < 0) From 0af49a63c7f87876486ab09482d5b26b95abce60 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:42:29 +0200 Subject: [PATCH 2/6] avidec: use actually read size instead of requested size Fixes CVE-2012-2788 --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b70367fb30..b2a06edd8c 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1116,7 +1116,7 @@ resync: } ast->frame_offset += get_duration(ast, pkt->size); } - ast->remaining -= size; + ast->remaining -= err; if(!ast->remaining){ avi->stream_index= -1; ast->packet_size= 0; From 99f392a584dd10b553facc8e819f2c7e982e176d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 11:07:11 +0200 Subject: [PATCH 3/6] wmaprodec: check num_vec_coeffs for validity Fixes CVE-2012-2789 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov --- libavcodec/wmaprodec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 60d39be74e..1c9c6671e4 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1174,7 +1174,12 @@ static int decode_subframe(WMAProDecodeCtx *s) int num_bits = av_log2((s->subframe_len + 3)/4) + 1; for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); + return AVERROR_INVALIDDATA; + } + s->channel[c].num_vec_coeffs = num_vec_coeffs; } } else { for (i = 0; i < s->channels_for_cur_subframe; i++) { From b631e4ed64f7d1b9ca8f897fda31140e8d1fad81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 18:28:31 +0200 Subject: [PATCH 4/6] lagarith: check count before writing zeros. Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov --- libavcodec/lagarith.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index e365610410..a34c28941b 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -361,6 +361,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); + if (end - dst < count) { + av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n"); + return AVERROR_INVALIDDATA; + } + memset(dst, 0, count); l->zeros_rem -= count; dst += count; From 4a969030e4d10f3f07fa52436ed3d3c6689694e0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 08:37:08 +0200 Subject: [PATCH 5/6] wmalosslessdec: increase WMALL_BLOCK_MAX_BITS to 14. --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 56e9aad399..8300b17184 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -38,7 +38,7 @@ #define MAX_ORDER 256 #define WMALL_BLOCK_MIN_BITS 6 ///< log2 of min block size -#define WMALL_BLOCK_MAX_BITS 12 ///< log2 of max block size +#define WMALL_BLOCK_MAX_BITS 14 ///< log2 of max block size #define WMALL_BLOCK_MAX_SIZE (1 << WMALL_BLOCK_MAX_BITS) ///< maximum block size #define WMALL_BLOCK_SIZES (WMALL_BLOCK_MAX_BITS - WMALL_BLOCK_MIN_BITS + 1) ///< possible block sizes From 065b3a1cfa3f23aedf76244b3f3883ba913173ff Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 08:40:42 +0200 Subject: [PATCH 6/6] wmalosslessdec: increase channel_coeffs/residues size Fixes CVE-2012-2792 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/wmalosslessdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8300b17184..c67a392bfe 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -23,6 +23,8 @@ */ #include "libavutil/attributes.h" +#include "libavutil/avassert.h" + #include "avcodec.h" #include "internal.h" #include "get_bits.h" @@ -158,14 +160,14 @@ typedef struct WmallDecodeCtx { int ave_sum[2]; - int channel_residues[2][2048]; + int channel_residues[2][WMALL_BLOCK_MAX_SIZE]; int lpc_coefs[2][40]; int lpc_order; int lpc_scaling; int lpc_intbits; - int channel_coeffs[2][2048]; + int channel_coeffs[2][WMALL_BLOCK_MAX_SIZE]; } WmallDecodeCtx; @@ -215,6 +217,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /* get frame len */ s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags); + av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE); /* init previous block len */ for (i = 0; i < avctx->channels; i++)