[libav-bugs] [Bug 1177] New: Out-of-bounds value nbits in function read_low_coeffs in libavcodec/pixlet.c

bugzilla at libav.org bugzilla at libav.org
Mon Oct 7 12:29:05 CEST 2019


https://bugzilla.libav.org/show_bug.cgi?id=1177

            Bug ID: 1177
           Summary: Out-of-bounds value nbits in function read_low_coeffs
                    in libavcodec/pixlet.c
           Product: Libav
           Version: git HEAD
          Hardware: Other
                OS: Windows
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: yangx92 at hotmail.com

Hi,

There is an out of bounds vulnerability of value nbits in function
read_low_coeffs in libavcodec/pixlet.c.


static int read_low_coeffs(AVCodecContext *avctx, int16_t *dst, size_t size,
                           size_t width, ptrdiff_t stride)
{
    ...
        nbits  = ((state + 8) >> 5) + (state ? ff_clz(state) : 32) - 24;
        escape = av_mod_uintp2(16383, nbits);
        cnt1   = get_unary(bc, 0, 8);
        if (cnt1 > 7) {
            rlen = bitstream_read(bc, 16);
        } else {
            value = bitstream_read(bc, nbits);
            if (value <= 1) {
                bitstream_unget(bc, value & 1, 1);
                value = 1;
            }
            rlen = value + escape * cnt1 - 1;
        }
    ...
}

It is possible that nbits is less than 1 or greater than 25.
As we can see that it(variable pfx) is checked in read_high_coeffs.

static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst,
                            int size, int64_t c, int a, int64_t d,
                            int width, ptrdiff_t stride)
{
    ...
        pfx    = ((state + 8) >> 5) + (state ? ff_clz(state) : 32) - 24;
        escape = av_mod_uintp2(16383, pfx);
        cnt1   = get_unary(bc, 0, 8);
        if (cnt1 < 8) {
            if (pfx < 1 || pfx > 25)
                return AVERROR_INVALIDDATA;

            value = bitstream_read(bc, pfx);
            if (value <= 1) {
                bitstream_unget(bc, value & 1, 1);
                value = 1;
            }
            rlen = value + escape * cnt1 - 1;
        } else {
            if (bitstream_read_bit(bc))
                value = bitstream_read(bc, 16);
            else
                value = bitstream_read(bc, 8);

            rlen = value + 8 * escape;
        }

    ...
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20191007/fe43cebf/attachment.html>


More information about the libav-bugs mailing list