virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-04-19 09:02:26 +02:00
Code Issues Releases Activity

avcodec/cfhd: Require valid setup before Lowpass coefficients, BandHeader and BandSecondPass

Browse Source 
Previously the code skipped all security checks when these where encountered but prior data was incorrect.
Also replace an always true condition by an assert

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-04-03 15:19:22 +02:00
parent 20473a93d2
commit 3b88c88fa1
1 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
libavcodec/cfhd.c
View File

@ -701,11 +701,18 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
coeff_data = s->plane[s->channel_num].subband[s->subband_num_actual]; coeff_data = s->plane[s->channel_num].subband[s->subband_num_actual];
/* Lowpass coefficients */ /* Lowpass coefficients */
if (tag == BitstreamMarker && data == 0xf0f && s->a_width && s->a_height) { if (tag == BitstreamMarker && data == 0xf0f) {
int lowpass_height = s->plane[s->channel_num].band[0][0].height; int lowpass_height, lowpass_width, lowpass_a_height, lowpass_a_width;
int lowpass_width = s->plane[s->channel_num].band[0][0].width;
int lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height; if (!s->a_width || !s->a_height) {
int lowpass_a_width = s->plane[s->channel_num].band[0][0].a_width; ret = AVERROR_INVALIDDATA;
goto end;
}
lowpass_height = s->plane[s->channel_num].band[0][0].height;
lowpass_width = s->plane[s->channel_num].band[0][0].width;
lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height;
lowpass_a_width = s->plane[s->channel_num].band[0][0].a_width;
if (lowpass_width < 3 || if (lowpass_width < 3 ||
lowpass_width > lowpass_a_width) { lowpass_width > lowpass_a_width) {
@ -755,17 +762,25 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
av_log(avctx, AV_LOG_DEBUG, "Lowpass coefficients %d\n", lowpass_width * lowpass_height); av_log(avctx, AV_LOG_DEBUG, "Lowpass coefficients %d\n", lowpass_width * lowpass_height);
} }
if ((tag == BandHeader || tag == BandSecondPass) && s->subband_num_actual != 255 && s->a_width && s->a_height) { av_assert0(s->subband_num_actual != 255);
int highpass_height = s->plane[s->channel_num].band[s->level][s->subband_num].height; if (tag == BandHeader || tag == BandSecondPass) {
int highpass_width = s->plane[s->channel_num].band[s->level][s->subband_num].width; int highpass_height, highpass_width, highpass_a_width, highpass_a_height, highpass_stride, a_expected;
int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
int expected; int expected;
int a_expected = highpass_a_height * highpass_a_width;
int level, run, coeff; int level, run, coeff;
int count = 0, bytes; int count = 0, bytes;
if (!s->a_width || !s->a_height) {
ret = AVERROR_INVALIDDATA;
goto end;
}
highpass_height = s->plane[s->channel_num].band[s->level][s->subband_num].height;
highpass_width = s->plane[s->channel_num].band[s->level][s->subband_num].width;
highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width;
highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height;
highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride;
a_expected = highpass_a_height * highpass_a_width;
if (!got_buffer) { if (!got_buffer) {
av_log(avctx, AV_LOG_ERROR, "No end of header tag found\n"); av_log(avctx, AV_LOG_ERROR, "No end of header tag found\n");
ret = AVERROR(EINVAL); ret = AVERROR(EINVAL);