[libav-bugs] [Bug 1174] New: Infinite loop in function flic_decode_frame_15_16BPP in libavcodec/flicvideo.c

bugzilla at libav.org bugzilla at libav.org
Mon Oct 7 10:40:05 CEST 2019


https://bugzilla.libav.org/show_bug.cgi?id=1174

            Bug ID: 1174
           Summary: Infinite loop in function flic_decode_frame_15_16BPP
                    in libavcodec/flicvideo.c
           Product: Libav
           Version: git HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: yangx92 at hotmail.com

Hi,

There is an infinite loop vulnerability in function flic_decode_frame_15_16BPP
in libavcodec/flicvideo.c.

                while (pixel_countdown > 0) {
                    byte_run = sign_extend(bytestream2_get_byte(&g2), 8);
                    if (byte_run > 0) {
                        palette_idx1 = bytestream2_get_byte(&g2);
                        CHECK_PIXEL_PTR(byte_run);
                        for (j = 0; j < byte_run; j++) {
                            pixels[pixel_ptr++] = palette_idx1;
                            pixel_countdown--;
                            if (pixel_countdown < 0)
                                av_log(avctx, AV_LOG_ERROR, "pixel_countdown <
0 (%d) (linea%d)\n",
                                       pixel_countdown, lines);
                        }
                    } else {  /* copy bytes if byte_run < 0 */
                        byte_run = -byte_run;
                        CHECK_PIXEL_PTR(byte_run);
                        for (j = 0; j < byte_run; j++) {
                            palette_idx1 = bytestream2_get_byte(&g2);
                            pixels[pixel_ptr++] = palette_idx1;
                            pixel_countdown--;
                            if (pixel_countdown < 0)
                                av_log(avctx, AV_LOG_ERROR, "pixel_countdown <
0 (%d) at line %d\n",
                                       pixel_countdown, lines);
                        }
                    }
                }

It is possible that byte_run is zero. Then, there is an infinite loop
vulnerability.

It is the vulnerability that is same as vulnerability that is fixed in function
flic_decode_frame_8BPP. (see
https://git.libav.org/?p=libav.git;a=commit;h=ddfe1246d98f70cdce368a2176196ba26ed7bf2d
for details).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20191007/77f2a996/attachment.html>


More information about the libav-bugs mailing list