| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | From 8b94df0f2047e9728cb872adc9e64557b7a5152f Mon Sep 17 00:00:00 2001 |
| 2 | From: Reinhard Tartler <siretart@tauware.de> |
| 3 | Date: Sun, 4 Dec 2011 10:10:33 +0100 |
| 4 | Subject: [PATCH] vp3dec: Check coefficient index in vp3_dequant() |
| 5 | |
| 6 | Based on a patch by Michael Niedermayer <michaelni@gmx.at> |
| 7 | |
| 8 | Fixes NGS00145, CVE-2011-4352 |
| 9 | |
| 10 | Found-by: Phillip Langlois |
| 11 | Signed-off-by: Reinhard Tartler <siretart@tauware.de> |
| 12 | |
| 13 | |
| 14 | Upstream-Status: Backport |
| 15 | |
| 16 | http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b94df0f2047e9728cb872adc9e64557b7a5152f |
| 17 | |
| 18 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 19 | --- |
| 20 | libavcodec/vp3.c | 14 ++++++++++++-- |
| 21 | 1 file changed, 12 insertions(+), 2 deletions(-) |
| 22 | |
| 23 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c |
| 24 | index 51ab048..f44d084 100644 |
| 25 | --- a/gst-libs/ext/libav/libavcodec/vp3.c |
| 26 | +++ b/gst-libs/ext/libav/libavcodec/vp3.c |
| 27 | @@ -1363,6 +1363,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag, |
| 28 | case 1: // zero run |
| 29 | s->dct_tokens[plane][i]++; |
| 30 | i += (token >> 2) & 0x7f; |
| 31 | + if (i > 63) { |
| 32 | + av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n"); |
| 33 | + return i; |
| 34 | + } |
| 35 | block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; |
| 36 | i++; |
| 37 | break; |
| 38 | @@ -1566,7 +1570,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) |
| 39 | /* invert DCT and place (or add) in final output */ |
| 40 | |
| 41 | if (s->all_fragments[i].coding_method == MODE_INTRA) { |
| 42 | - vp3_dequant(s, s->all_fragments + i, plane, 0, block); |
| 43 | + int index; |
| 44 | + index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); |
| 45 | + if (index > 63) |
| 46 | + continue; |
| 47 | if(s->avctx->idct_algo!=FF_IDCT_VP3) |
| 48 | block[0] += 128<<3; |
| 49 | s->dsp.idct_put( |
| 50 | @@ -1574,7 +1581,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) |
| 51 | stride, |
| 52 | block); |
| 53 | } else { |
| 54 | - if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { |
| 55 | + int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); |
| 56 | + if (index > 63) |
| 57 | + continue; |
| 58 | + if (index > 0) { |
| 59 | s->dsp.idct_add( |
| 60 | output_plane + first_pixel, |
| 61 | stride, |
| 62 | -- |
| 63 | 2.1.1 |
| 64 | |