[libav-bugs] [Bug 102] Invalid Reads in bswap.h

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Mon Nov 28 00:10:16 CET 2011


http://bugzilla.libav.org/show_bug.cgi?id=102

--- Comment #6 from Aneesh Dogra <lionaneesh at gmail.com> 2011-11-28 00:10:16 CET ---
(In reply to comment #5)
> The instruction that crashes is this one:
> 
> 0x000000010029bc3e <parse_bintree+478>:    mov    (%rcx,%rdx,1),%r8d
> 
> in this code blob:
> 
> 0x000000010029bc0e <skip_bits_long+0>:    add    0x1764(%r15),%eax
> 0x000000010029bc15 <skip_bits_long+7>:    mov    %eax,0x1758(%r15)
> 0x000000010029bc1c <parse_bintree+444>:    movl   $0x0,0x1764(%r15)
> 0x000000010029bc27 <parse_bintree+455>:    movl   $0x0,0x1760(%r15)
> 0x000000010029bc32 <parse_bintree+466>:    mov    0x1748(%r15),%rcx
> 0x000000010029bc39 <parse_bintree+473>:    mov    %eax,%edx
> 0x000000010029bc3b <parse_bintree+475>:    shr    $0x3,%edx
> 0x000000010029bc3e <parse_bintree+478>:    mov    (%rcx,%rdx,1),%r8d
> 0x000000010029bc42 <parse_bintree+482>:    lea    0x2(%rax),%edx
> 0x000000010029bc45 <parse_bintree+485>:    mov    %edx,0x1758(%r15)
> 0x000000010029bc4c <parse_bintree+492>:    bswap  %r8d
> 0x000000010029bc4f <parse_bintree+495>:    mov    %al,%cl
> 0x000000010029bc51 <parse_bintree+497>:    and    $0x7,%cl
> 0x000000010029bc54 <parse_bintree+500>:    shl    %cl,%r8d
> 0x000000010029bc57 <NEG_USR32+0>:    shr    $0xfe,%r8d
> 0x000000010029bc5b <NEG_USR32+4>:    cmp    $0x3,%r8d
> 
> which (in libavcodec/indeo3.c:parse_bintree()) is:
> 
> [..]
>     while (1) { /* loop until return */
>         RESYNC_BITSTREAM;
>         switch (code = get_bits(&ctx->gb, 2)) { <-- this line
>         case H_SPLIT:
> [..]
> 
> parse_bintree() is called from decode_plane() with an insanely large
> num_vectors, causing the buffer pointer to be invalid. The bug is likely that
> the num_vecotrs isn't checked against the input buffer size.

I have no idea about the assembly OP-Codes used by the program!

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list