[libav-bugs] [Bug 1175] New: Wrong return value in function decode_packet in libavcodec/wmalosslessdec.c

bugzilla at libav.org bugzilla at libav.org
Mon Oct 7 10:49:07 CEST 2019


https://bugzilla.libav.org/show_bug.cgi?id=1175

            Bug ID: 1175
           Summary: Wrong return value in function decode_packet in
                    libavcodec/wmalosslessdec.c
           Product: Libav
           Version: git HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: yangx92 at hotmail.com

Hi,

There is a bug in function decode_packet in libavcodec/wmalosslessdec.c, as the
function return 0 instead of AVERROR_INVALIDDATA when the input is too small.
It may lead to infinite loop vulnerability in valid calling programs.


static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
                         AVPacket* avpkt)
{
    WmallDecodeCtx *s = avctx->priv_data;
    BitstreamContext *bc = &s->pbc;
    const uint8_t* buf = avpkt->data;
    int buf_size       = avpkt->size;
    int num_bits_prev_frame, packet_sequence_number, spliced_packet;

    s->frame->nb_samples = 0;

    if (s->packet_done || s->packet_loss) {
        s->packet_done = 0;

        /* sanity check for the buffer length */
        if (buf_size < avctx->block_align)
            return 0;

The bug is same with bug that is fixed in
https://git.libav.org/?p=libav.git;a=commit;h=4c0080b7e7d501e2720d2a61f5186a18377f9d63.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20191007/689573bc/attachment.html>


More information about the libav-bugs mailing list