From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id E7D944375A for ; Wed, 26 Oct 2022 11:41:58 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E59C768BB91; Wed, 26 Oct 2022 14:41:55 +0300 (EEST) Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05olkn2010.outbound.protection.outlook.com [40.92.90.10]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9D70868B903 for ; Wed, 26 Oct 2022 14:41:49 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dZz81Ybphswf5BHuIcH+NJaxHMUZwH4yqs9O6hIFq5gVm+rOsKRsLHdXKx2eKjRXB4HJzko7SUEfazGcbSKtQDiBHncItpwdaP1eN6oAsqXwycKf3M+e6GJuhVTCFJnQS1Cr4cm0URVU3pnc50ym6k1RdpSZnAgm8XBAC5zYCmFlnB9zT6Qkl3Ll/oCH5t9ARuAUziehBNYrMURp7mvrX53bwt1EEBVt/wo+YJO1BqFFkWIwRJezI0Krk8PZz5SKIyJLJoryW9Cj0ZcWk8AuhvH5e3vE+8hTmy22ixDClVKv9Bl9Ro2ELYtEKS6zUIK3pMuSEXdwdfF07HU1t0mypA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GrBp33K1CHmN25PkrE8BxiGwlYEntrA6Jpn5d9DcAk4=; b=JiWYob3wlCLCh54J/SMVGblSbpJcnAzIHjTz0xKGIKM5zYr6Kwo+fA4EiyvxthlHWSDo4HZZ9CAyYl+GU1sM0iVifPvMCbmVUkc8HmQzWmV9HyBDFuSSIdKZPVeIEMeZfIP2zKBHPALbUvTSpc9L8uWFv/DFIsn8FEIsU/jD/Lu9esh1a2+t25HGJ6Gxli99Rn+7jahh32Hg5JkhmO4K9pJPJ4DPLLtKNleJ7xEnFxqzAIFn4KciDDVIZR6Hi/4Bqfm8nFPAdX0MUtFoEE24CwZ7tuXoEkmaiQkCqTE+qjrO4oF6xp9cS4Jyzww9Z0SDEPFq6ZiRuvoUyKVhFCdzfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GrBp33K1CHmN25PkrE8BxiGwlYEntrA6Jpn5d9DcAk4=; b=PkBd7s5Fkh6D9pTqhRcYaWHQVLOVU5G6MBx1tpmLNrjJRnUSoYsZrGmn7bZDPQ8K1QKNXLvamQOLLphn09a1n5Qgjw3lZCezDZRLgh8DsoztMvTCRDOFac/bMmFpC63W7OCJeDVMRdQrg+aP9So3qheNWCNRzevda+df8DJkxC7uu/jEXagC2POCRqvmHtTan+Uall1MpneIvi+D0+fcbB+b2YZDPnrCI/Op5qOEMQp5GO5iYbH80nIeM+8hgIC8yY4ypx9xKHYG+7IDczQjcKhswp+MluJ7Gh3c5yCUwN1RPgPa2wk6aqpRpmWqZNL3mYdZ5CjX/1j9PO3F5/y4ug== Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) by PR3P250MB0354.EURP250.PROD.OUTLOOK.COM (2603:10a6:102:17d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Wed, 26 Oct 2022 11:41:46 +0000 Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::f9d7:680f:70c4:44fe]) by AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::f9d7:680f:70c4:44fe%7]) with mapi id 15.20.5709.015; Wed, 26 Oct 2022 11:41:46 +0000 Message-ID: Date: Wed, 26 Oct 2022 13:41:57 +0200 To: ffmpeg-devel@ffmpeg.org References: <1ab7c3994301a243fc64d59d6a08e3a2b364e411.1666774269.git.pross@xvid.org> Content-Language: en-US From: Andreas Rheinhardt In-Reply-To: <1ab7c3994301a243fc64d59d6a08e3a2b364e411.1666774269.git.pross@xvid.org> X-TMN: [77uDIVPNn1UA8xRcJB+VbPUFoj60YreFShSXTx36GD8=] X-ClientProxiedBy: AM6PR10CA0029.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:209:89::42) To AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) X-Microsoft-Original-Message-ID: <6dbbcfe6-f77c-7756-4d3c-42f6900cb472@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P250MB0744:EE_|PR3P250MB0354:EE_ X-MS-Office365-Filtering-Correlation-Id: 671ed0e8-6985-48f9-6ad8-08dab7470f8f X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: niH98p3jS/8g+ur/oo+lNbDNGVZ/YDlZ7uIWQjR/SeoyN1jnDCpcYBc2XD2+Le6+6UrC0FJHMxksVb91LjzqLERHjN55joqc92lFxq6A4SlyVKlB55RhFyLdQuFzJU/9FvxApMSLVqEQu0Fu6hBKWEMQA3798ISWnfhkE4u2Jvc9V+smzNU8RgZ5jbe6iOlm85LlCJ4/Pit7OAY2TvLpbM8G+FFyOP3DH3EKZdiUeR45EzpihSy4t/nJ+xQBa+Rk1wOuKd/Cl6AwyZYVZHaqS/uaIoE9OGhThUQQ4L+SjUSuQsMLspb8gCJ1IBGVWi+hK2+VcjPzAW1I5DANq2n/IJd6BPdUqLwvXrbRbJrA/Z81cX1yK/tmGf1kYslH1gHSvz42QP9ZS0Xa0mCBca5/dWCEFOrG5zlhgIsi8vSM0ZSjg2tdKUTCWpRW5FMgBzvEuLXKkJsSIpGTUMQI8DCxHom4Dp2/p0LnKexoKEgMB3t1Aad0lHVMuzdSaJZg5IfYnwC8ILP/hPxqZlRX3AC+swQix1cCJZDIy6Jcdp1RMAh/P0CBQENYrN7muM4GQA4gRwNelj1kfZYHEuHMPd/2y8zfeaV2L3IBi49iXQG0SGFoALyh0pJD2z9v4vd9fwbsAGn36xMVV7d04xIgLD2pV8yCoiLjCQ2yuMns8gXvqDT+pSqPfEuabk5ZID8/mXc/ X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?V3dUUFozTENLSmNvV3hjOGw3NE9oVll6ck84TnFmTitxOE1vRk04c25USXhU?= =?utf-8?B?eGhSMFRvTjRRM2drblcrdVRDa1NTcjhiLy9pOUZ0OTZrbmRRZGI5SlROcEkw?= =?utf-8?B?MFdvYmlkQ2svdUQ4ckNGWmNsazVFV2R6c01hcCtqcUFqa3AzR1RzZ3h3aDkr?= =?utf-8?B?YTZMQURTNGpUZHRhRVdOdnpENmZPSVo3ekhmbExrWG5kTUtyejZxeklobDFo?= =?utf-8?B?WUU3aWdaOHlDbWdwNEdMeWszSTNRM0xLNHlaaXc5dmR2ZFQrbjI3RkhzbjNn?= =?utf-8?B?WWpEeXNnRThTTGxyb2dOWWh6NzFzc29QN094am5JYktDTnBaLzRMUlROSWN3?= =?utf-8?B?VmJ0VnZJSGZBOHVMMEY1a29uREQvK0FFSGlqLzhZWFlrTnpldEdvWFpHWUdN?= =?utf-8?B?NjRsbXBERVdiSnM2SEwrZGZyWmQ0Tnh4dW9wR0dOR2R5c1NEUjNpdnJicDBr?= =?utf-8?B?Si9icVVoKzVkZEFrK0pEbW5razNnbklrZWxYVWJaSElxdEhlMStwb2NVRENl?= =?utf-8?B?L3U4TXlIOWpMUnhzU0xaTituNUJFS3dKQklOLy9aRGdkVlhHb2xUZlJxTWZX?= =?utf-8?B?aUJXekpEQ0ZOMnJPVGxxc21RQWsxUzJhMEp3MVV1Z29xQW0wYlBxNFp6SGw4?= =?utf-8?B?RzZVSnk3NnJIYVM3K2EwVTdpaWptdG02MGZxRmJLUXduNC9ZdGRCaisxRWl2?= =?utf-8?B?NUZuQ29hYlZiY1hiNEVyTFNjWW4yUi9iRmc2MWp6SWtBQWF1TEtUV0FEM3lq?= =?utf-8?B?c05ncHl1amdhZkdhWndvK01vOG1GYmJIdnlsOWRibndVWVkxNlBEYk41VGpx?= =?utf-8?B?MkVJcU15WEJWM2hBeS93SUhtWXRMMkNtQUNjOXNRMmFyZXMvQkU5UHkxS2Nl?= =?utf-8?B?NDRpVDQxaXptWW9uN3JReVI5KzdBRGlFNDJ3TXhtaFdPVFpvU1lvRnZvb1or?= =?utf-8?B?SFhjNlNvL3JtVzNLRTBkNncvQlVZUVhQV3hkUFYraWI3ZFp6ektzVjVPN3k2?= =?utf-8?B?ZWorM2gxeDhMWVdXT0VUUDJnVnlmZFJoKzJCZ1NDR3prVlpzWEMvNUFWb3hQ?= =?utf-8?B?TC9RZ1R0RU5RU2h1TU52dTBQWkJqSmEzL1RhdHdScU5HMklkVDVpZmtKNTZh?= =?utf-8?B?SWpQcHM4d3lxai9MUS9Ha2E5ak1hZUlrV0J6bUo0ei8rKzIvMGFwMlBadGY4?= =?utf-8?B?MWRGV0lEM3BzQ1J2dTFUekhoY1JKYU9rNCt6WHpYS1FyNllNWW5STWUwNlp2?= =?utf-8?B?bXBPMFgwUkRkSDZLZ3hDd3c3eVV3Z282K0tDSHRINEhIVmgrd2oyak1kR0lW?= =?utf-8?B?ellPS1JzN00wcHU2SzRxdEdRaHV6UTFuNkRtaGo5SXRzUmZEb3lFNmx4T3Yx?= =?utf-8?B?RlRLcU1odndTcU90dDBUTnBDem1tMFdPeC85YzNubzBycHBJaFllNW83NVBw?= =?utf-8?B?L3VuK3NvTHhqZUlKTm9FRnBJSm10V012bVhsMG82dTRwcHR0Wk1ha0RwSGJm?= =?utf-8?B?R1JJUmd5eWpDRlBPcHRwQitrc3VkR0pXMFU2WnFJUUJJT0pmdTVoMWhZay9r?= =?utf-8?B?eUpwUElVNWppNkt2aStUem9YeXlqbVJsb3h6RmFPb05ZdjlockQzMVprMTVu?= =?utf-8?B?V2FYOFdaNjEyb1FLVUN4WlFhRkY4a3BpTXRndng5WG5GOGtHR3A1UFg0RXA1?= =?utf-8?B?N2tJcVd3Tm5OOW5oSmdISTFLS1dkdVFIbS9MbTRRSDBjRWllWTZYSnZ4djJO?= =?utf-8?Q?J/aR4kCyvnQXP+WgGpwVZnjIRNLXEZjXPQK6/G3?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 671ed0e8-6985-48f9-6ad8-08dab7470f8f X-MS-Exchange-CrossTenant-AuthSource: AS8P250MB0744.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2022 11:41:46.0620 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3P250MB0354 Subject: Re: [FFmpeg-devel] [PATCH] avcodec/eatgq: prevent out of bounds memory access and endless loop X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Peter Ross: > --- > libavcodec/eatgq.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c > index 89e9f20880..fdda8286ef 100644 > --- a/libavcodec/eatgq.c > +++ b/libavcodec/eatgq.c > @@ -56,7 +56,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) > return 0; > } > > -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) > +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) > { > const uint8_t *scantable = ff_zigzag_direct; > int i, j, value; > @@ -73,7 +73,9 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb > case 1: > skip_bits(gb, 2); > value = get_bits(gb, 6); > - for (j = 0; j < value; j++) > + if (!value) > + return AVERROR_INVALIDDATA; > + for (j = 0; j < value && i < 64; j++) > block[scantable[i++]] = 0; > break; > case 6: > @@ -100,6 +102,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb > } > } > block[0] += 128 << 4; > + return 0; > } > > static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, > @@ -161,7 +164,8 @@ static int tgq_decode_mb(TgqContext *s, GetByteContext *gbyte, > return ret; > > for (i = 0; i < 6; i++) > - tgq_decode_block(s, s->block[i], &gb); > + if ((ret = tgq_decode_block(s, s->block[i], &gb)) < 0) > + return ret; > tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); > bytestream2_skip(gbyte, mode); > } else { > > The '4' case can also overread. But actually I don't like the idea of adding further checks into the main loop; mind if I send an alternative solution? - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".