[libav-stable] lavc: check for overflow in init_get_bits

Reinhard Tartler siretart at tauware.de
Mon Jan 14 07:39:04 CET 2013


On Mo, Jan 14, 2013 at 04:50:00 (CET), Luca Barbato  wrote:

> Module: libav
> Branch: master
> Commit: d9cf5f516974c64e01846ca685301014b38cf224
>
> Author:    Luca Barbato <lu_zero at gentoo.org>
> Committer: Luca Barbato <lu_zero at gentoo.org>
> Date:      Sun Jan 13 19:52:45 2013 +0100
>
> lavc: check for overflow in init_get_bits
>
> Fix an undefined behaviour and make the function return a proper
> error in case of overflow.
>
> CC: libav-stable at libav.org
>
> ---
>
>  libavcodec/get_bits.h |   22 +++++++++++++++-------
>  1 files changed, 15 insertions(+), 7 deletions(-)
>
> diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
> index c56a2c2..16cfd5e 100644
> --- a/libavcodec/get_bits.h
> +++ b/libavcodec/get_bits.h
> @@ -362,20 +362,27 @@ static inline int check_marker(GetBitContext *s, const char *msg)
>  }
>  
>  /**
> - * Inititalize GetBitContext.
> - * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes larger than the actual read bits
> - * because some optimized bitstream readers read 32 or 64 bit at once and could read over the end
> + * Initialize GetBitContext.
> + * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes
> + *        larger than the actual read bits because some optimized bitstream
> + *        readers read 32 or 64 bit at once and could read over the end
>   * @param bit_size the size of the buffer in bits
> + * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow.
>   */
> -static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer,
> -                                 int bit_size)
> +static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
> +                                int bit_size)
>  {
> -    int buffer_size = (bit_size+7)>>3;
> -    if (buffer_size < 0 || bit_size < 0) {
> +    int buffer_size;
> +    int ret = 0;
> +
> +    if (bit_size > INT_MAX - 7 || bit_size <= 0) {
>          buffer_size = bit_size = 0;
>          buffer = NULL;
> +        ret = AVERROR_INVALIDDATA;
>      }
>  
> +    buffer_size = (bit_size + 7) >> 3;
> +
>      s->buffer       = buffer;
>      s->size_in_bits = bit_size;
>  #if !UNCHECKED_BITSTREAM_READER
> @@ -383,6 +390,7 @@ static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer,
>  #endif
>      s->buffer_end   = buffer + buffer_size;
>      s->index        = 0;
> +    return ret;
>  }

OK for 9 and 0.8 if applies

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4


More information about the libav-stable mailing list