From 8b24e17d0920e070e0353dee6901fbaf8666f94f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 7 Jan 2014 14:21:53 +0100 Subject: [PATCH 1/6] twinvq: Cope with gcc-4.8.2 miscompilation Apparently gcc-4.8.2 miscompiles enums resulting in a lucky fpe soon after it. Passing the enum value as integer makes the ftype == FT_PPC condition evaluates correctly. --- libavcodec/twinvq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 3006e9f108..6d0a0ec9c9 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -996,7 +996,7 @@ static void linear_perm(int16_t *out, int16_t *in, int n_blocks, int size) out[i] = block_size * (in[i] % n_blocks) + in[i] / n_blocks; } -static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype) +static av_cold void construct_perm_table(TwinContext *tctx, int ftype) { int block_size; const ModeTab *mtab = tctx->mtab; From a89acaa0b0dbf463a4a60499421e770608a23903 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 20 Jan 2013 05:10:32 +0100 Subject: [PATCH 2/6] get_bits: change the failure condition in init_get_bits Too much code relies in having init_get_bits fed with a valid buffer and set its dimension to 0. Check for NULL buffer instead. (cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855) Signed-off-by: Luca Barbato --- libavcodec/get_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index dc348c7713..db70937c14 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -357,7 +357,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size > INT_MAX - 7 || bit_size <= 0) { + if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) { buffer_size = bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 976a7b72a3f51c18fee573985987bdcdd445af0d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 03:52:48 +0200 Subject: [PATCH 3/6] avi: directly resync on DV in AVI read failure Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288) Signed-off-by: Reinhard Tartler Adresses CVE-2013-0856 (cherry picked from commit 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 11d086cbe8..8d06c9a1d2 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -986,6 +986,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt) int size = avpriv_dv_get_packet(avi->dv_demux, pkt); if (size >= 0) return size; + else + goto resync; } if(avi->non_interleaved){ From d04194db45711f82e3e87fab62c9224ac03998c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: [PATCH 4/6] vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer (cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a) Addresses: CVE-2013-0865 Signed-off-by: Reinhard Tartler (cherry picked from commit ab434bf0d051008a329d49d0256faa5d64e2bf4d) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 110d8b17d5..7870f0e3c7 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -533,6 +533,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); @@ -556,6 +562,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); From ef6c90e102a393c136a38c1eee42bfd26e964de5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 5/6] dsputil/pngdsp: fix signed/unsigned type in end comparison Fixes out of array accesses and integer overflows. (cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b) Adresses: CVE-2013-7010, CVE-2013-7014 Signed-off-by: Reinhard Tartler (cherry picked from commit af9799790d7a6342027e0261b5dd87657abb7a0b) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/pngdsp.c --- libavcodec/dsputil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 050081ad79..b32fea958c 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1867,7 +1867,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) { long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1903,7 +1903,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) { long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); From cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 23:18:48 +0200 Subject: [PATCH 6/6] flashsv: Check diff_start diff_height values Fix out of array accesses. Found-by: ami_stuff Signed-off-by: Michael Niedermayer Adresses: CVE-2013-7015 (cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1) Signed-off-by: Reinhard Tartler (cherry picked from commit 10d48fe6d3963842319b1d8d738a318020836e72) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 4a231ce899..686a696099 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -377,6 +377,12 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, + "Block parameters invalid: %d + %d > %d\n", + s->diff_start, s->diff_height, cur_blk_height); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height);