From 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 01:39:13 +0100 Subject: [PATCH 1/8] alsdec: check opt_order. Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ef12253271..defe3c4850 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -668,6 +668,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; } From 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Feb 2012 06:10:17 +0100 Subject: [PATCH 2/8] alsdec: Check that quantized parcor coeffs are within range. ALS spec: 11.6.3.1.1 Quantization and encoding of parcor coefficients ... In all cases the resulting quantized values ak are restricted to the range [-64,63]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index defe3c4850..b4bc41bee1 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -705,6 +705,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int rice_param = parcor_rice_table[sconf->coef_table][k][1]; int offset = parcor_rice_table[sconf->coef_table][k][0]; quant_cof[k] = decode_rice(gb, rice_param) + offset; + if (quant_cof[k] < -64 || quant_cof[k] > 63) { + av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]); + return AVERROR_INVALIDDATA; + } } // read coefficients 20 to 126 From 97f0efbfb86d24f081b2caa39f6249e05c95c2ef Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 11 Mar 2012 16:56:23 +0100 Subject: [PATCH 3/8] alsdec: Fix out of ltp_gain_values read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b4bc41bee1..3990b502bf 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -741,7 +741,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[0] = decode_rice(gb, 1) << 3; bd->ltp_gain[1] = decode_rice(gb, 2) << 3; - r = get_unary(gb, 0, 4); + r = get_unary(gb, 0, 3); c = get_bits(gb, 2); bd->ltp_gain[2] = ltp_gain_values[r][c]; From 66197988b1ee914825afbc3084e6da63f862068a Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 15 Apr 2012 18:07:12 +0200 Subject: [PATCH 4/8] alsdec: fix number of decoded samples in first sub-block in BGMC mode. Fixes CVE-2012-2790 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 3990b502bf..02307795fb 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -770,7 +770,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i; // read most significant bits unsigned int high; @@ -782,28 +781,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { + unsigned int sb_len = sb_length - (sb ? 0 : start); + k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; - ff_bgmc_decode(gb, sb_length, current_res, + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); - current_res += sb_length; + current_res += sb_len; } ff_bgmc_decode_end(gb); // read least significant bits and tails - i = start; current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++, start = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; - for (; i < sb_length; i++) { + for (; start < sb_length; start++) { int32_t res = *current_res; if (res == cur_tail_code) { From ac3f5a6879396680c616eabba13609c753939070 Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Tue, 27 Mar 2012 18:06:54 +0200 Subject: [PATCH 5/8] alsdec: check return values. Signed-off-by: Justin Ruggles --- libavcodec/alsdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 02307795fb..dce76b0a71 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1348,7 +1348,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) } } else { // multi-channel coding ALSBlockData bd = { 0 }; - int b; + int b, ret; int *reverted_channels = ctx->reverted_channels; unsigned int offset = 0; @@ -1381,9 +1381,10 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) bd.raw_samples = ctx->raw_samples[c] + offset; bd.raw_other = NULL; - read_block(ctx, &bd); - if (read_channel_data(ctx, ctx->chan_data[c], c)) - return -1; + if ((ret = read_block(ctx, &bd)) < 0) + return ret; + if ((ret = read_channel_data(ctx, ctx->chan_data[c], c)) < 0) + return ret; } for (c = 0; c < avctx->channels; c++) @@ -1402,7 +1403,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) bd.lpc_cof = ctx->lpc_cof[c]; bd.quant_cof = ctx->quant_cof[c]; bd.raw_samples = ctx->raw_samples[c] + offset; - decode_block(ctx, &bd); + if ((ret = decode_block(ctx, &bd)) < 0) + return ret; } memset(reverted_channels, 0, avctx->channels * sizeof(*reverted_channels)); From ee0f53e966e3a637d9e0050d7be2689d4631faef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Tue, 4 Sep 2012 14:30:14 -0400 Subject: [PATCH 6/8] alsdec: fix misplaced parentheses. Signed-off-by: Justin Ruggles --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index dce76b0a71..1c3f0cbdb5 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1453,7 +1453,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, ctx->cur_frame_length = sconf->frame_length; // decode the frame data - if ((invalid_frame = read_frame_data(ctx, ra_frame) < 0)) + if ((invalid_frame = read_frame_data(ctx, ra_frame)) < 0) av_log(ctx->avctx, AV_LOG_WARNING, "Reading frame data failed. Skipping RA unit.\n"); From 2a8a860ae65b0c1c955f148d8697cc30adc71cf3 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 16 Sep 2012 21:47:16 +0100 Subject: [PATCH 7/8] configure: include flags in nm variable This simplifies ensuring proper flags are used when the default is overridden by the system or on the command line. Signed-off-by: Mans Rullgard --- configure | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/configure b/configure index 7c377aa061..8a59262299 100755 --- a/configure +++ b/configure @@ -1769,13 +1769,12 @@ ar_default="ar" cc_default="gcc" host_cc_default="gcc" ln_s="ln -sf" -nm_default="nm" +nm_default="nm -g" objformat="elf" pkg_config_default=pkg-config ranlib="ranlib" yasmexe="yasm" -nm_opts='-g' nogas=":" # machine @@ -2038,7 +2037,7 @@ ranlib="${cross_prefix}${ranlib}" sysinclude_default="${sysroot}/usr/include" -set_default cc nm pkg_config sysinclude +set_default cc pkg_config sysinclude enabled cross_compile || host_cc_default=$cc set_default host_cc @@ -2690,7 +2689,7 @@ case $target_os in # guards for processor-specific code, instead suppress # generation of the HWCAPS ELF section on Solaris x86 only. enabled_all suncc x86 && echo "hwcap_1 = OVERRIDE;" > mapfile && add_ldflags -Wl,-M,mapfile - nm_opts='-P -g' + nm_default='nm -P -g' ;; netbsd) disable symver @@ -2881,6 +2880,7 @@ echo "config:$arch:$subarch:$cpu:$target_os:$(esc $cc_ident):$(esc $LIBAV_CONFIG check_cpp_condition stdlib.h "defined(__PIC__) || defined(__pic__) || defined(PIC)" && enable pic set_default $PATHS_LIST +set_default nm # we need to build at least one lib type if ! enabled_any static shared; then @@ -2928,7 +2928,7 @@ enabled pic && enable_pic check_cc < Date: Mon, 17 Sep 2012 21:14:58 +0200 Subject: [PATCH 8/8] flvenc: silence bogus warning The compiler fails to figure out that enc->codec_type can only have 3 different values. Thus when an if/else is encountered it triggers on the possibility of the else case has not initialized the flags variable. Signed-off-by: Luca Barbato --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 57e7aac23e..839b9b0df4 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -421,7 +421,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) unsigned ts; int size = pkt->size; uint8_t *data = NULL; - int flags, flags_size; + int flags = 0, flags_size; // av_log(s, AV_LOG_DEBUG, "type:%d pts: %"PRId64" size:%d\n", // enc->codec_type, timestamp, size);