[libav-bugs] [Bug 102] Invalid Reads in bswap.h

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Mon Nov 28 00:06:44 CET 2011


http://bugzilla.libav.org/show_bug.cgi?id=102

Ronald S. Bultje <rsbultje at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rsbultje at gmail.com

--- Comment #5 from Ronald S. Bultje <rsbultje at gmail.com> 2011-11-28 00:06:44 CET ---
The instruction that crashes is this one:

0x000000010029bc3e <parse_bintree+478>:    mov    (%rcx,%rdx,1),%r8d

in this code blob:

0x000000010029bc0e <skip_bits_long+0>:    add    0x1764(%r15),%eax
0x000000010029bc15 <skip_bits_long+7>:    mov    %eax,0x1758(%r15)
0x000000010029bc1c <parse_bintree+444>:    movl   $0x0,0x1764(%r15)
0x000000010029bc27 <parse_bintree+455>:    movl   $0x0,0x1760(%r15)
0x000000010029bc32 <parse_bintree+466>:    mov    0x1748(%r15),%rcx
0x000000010029bc39 <parse_bintree+473>:    mov    %eax,%edx
0x000000010029bc3b <parse_bintree+475>:    shr    $0x3,%edx
0x000000010029bc3e <parse_bintree+478>:    mov    (%rcx,%rdx,1),%r8d
0x000000010029bc42 <parse_bintree+482>:    lea    0x2(%rax),%edx
0x000000010029bc45 <parse_bintree+485>:    mov    %edx,0x1758(%r15)
0x000000010029bc4c <parse_bintree+492>:    bswap  %r8d
0x000000010029bc4f <parse_bintree+495>:    mov    %al,%cl
0x000000010029bc51 <parse_bintree+497>:    and    $0x7,%cl
0x000000010029bc54 <parse_bintree+500>:    shl    %cl,%r8d
0x000000010029bc57 <NEG_USR32+0>:    shr    $0xfe,%r8d
0x000000010029bc5b <NEG_USR32+4>:    cmp    $0x3,%r8d

which (in libavcodec/indeo3.c:parse_bintree()) is:

[..]
    while (1) { /* loop until return */
        RESYNC_BITSTREAM;
        switch (code = get_bits(&ctx->gb, 2)) { <-- this line
        case H_SPLIT:
[..]

parse_bintree() is called from decode_plane() with an insanely large
num_vectors, causing the buffer pointer to be invalid. The bug is likely that
the num_vecotrs isn't checked against the input buffer size.

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list