[libav-commits] svq3: Prevent illegal reads while parsing extradata.

Alex Converse git at libav.org
Sun Apr 1 19:05:00 CEST 2012


Module: libav
Branch: release/0.7
Commit: f5ce67d837cd686f12c515e601acd6e2a5df05a7

Author:    Alex Converse <alex.converse at gmail.com>
Committer: Reinhard Tartler <siretart at tauware.de>
Date:      Thu Feb  9 20:21:47 2012 -0800

svq3: Prevent illegal reads while parsing extradata.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

---

 libavcodec/svq3.c |   19 ++++++++++++++-----
 1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 09d598c..662d74d 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -809,7 +809,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
     MpegEncContext *s = &h->s;
     int m;
     unsigned char *extradata;
+    unsigned char *extradata_end;
     unsigned int size;
+    int marker_found = 0;
 
     if (ff_h264_decode_init(avctx) < 0)
         return -1;
@@ -829,19 +831,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx)
 
         /* prowl for the "SEQH" marker in the extradata */
         extradata = (unsigned char *)avctx->extradata;
-        for (m = 0; m < avctx->extradata_size; m++) {
-            if (!memcmp(extradata, "SEQH", 4))
-                break;
-            extradata++;
+        extradata_end = avctx->extradata + avctx->extradata_size;
+        if (extradata) {
+            for (m = 0; m + 8 < avctx->extradata_size; m++) {
+                if (!memcmp(extradata, "SEQH", 4)) {
+                    marker_found = 1;
+                    break;
+                }
+                extradata++;
+            }
         }
 
         /* if a match was found, parse the extra data */
-        if (extradata && !memcmp(extradata, "SEQH", 4)) {
+        if (marker_found) {
 
             GetBitContext gb;
             int frame_size_code;
 
             size = AV_RB32(&extradata[4]);
+            if (size > extradata_end - extradata - 8)
+                return AVERROR_INVALIDDATA;
             init_get_bits(&gb, extradata + 8, size*8);
 
             /* 'frame size code' and optional 'width, height' */



More information about the libav-commits mailing list