From 39bec05ed42e505d17877b0c23f16322f9b5883b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Nov 2012 23:59:40 +0100 Subject: [PATCH 1/3] qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1286cc5163..61ac0a830d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1232,6 +1232,11 @@ static void qdm2_decode_super_block (QDM2Context *q) for (i = 0; packet_bytes > 0; i++) { int j; + if (i >= FF_ARRAY_ELEMS(q->sub_packet_list_A)) { + SAMPLES_NEEDED_2("too many packet bytes"); + return; + } + q->sub_packet_list_A[i].next = NULL; if (i > 0) { From f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: [PATCH 2/3] vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer (cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 22b024c3d6..ae854cda56 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -532,6 +532,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); @@ -555,6 +561,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); From 488f87be873506abb01d67708a67c10a4dd29283 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2012 15:18:17 +0100 Subject: [PATCH 3/3] roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer (cherry picked from commit fee26d352a52eb9f7fcd8d9167fb4a5ba015b612) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler --- libavcodec/roqvideodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index 2543cecb27..3ee62c01b5 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -159,6 +159,13 @@ static av_cold int roq_decode_init(AVCodecContext *avctx) RoqContext *s = avctx->priv_data; s->avctx = avctx; + + if (avctx->width % 16 || avctx->height % 16) { + av_log(avctx, AV_LOG_ERROR, + "Dimensions must be a multiple of 16\n"); + return AVERROR_PATCHWELCOME; + } + s->width = avctx->width; s->height = avctx->height; s->last_frame = &s->frames[0];