[01/10] cavsdec: check for changing w/h.

Message ID 1348848193-25299-1-git-send-email-anton@khirnov.net
State Committed
Commit 6996a2f796898753b85d9465653f995148ebc753
Headers show

Commit Message

Anton Khirnov Sept. 28, 2012, 4:03 p.m.
From: Michael Niedermayer <michaelni@gmx.at>

Our decoder does not support changing w/h.

Fixes CVE-2012-2777 and CVE-2012-2784.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/cavsdec.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Comments

Justin Ruggles Sept. 28, 2012, 4:29 p.m. | #1
On 09/28/2012 12:03 PM, Anton Khirnov wrote:
> From: Michael Niedermayer <michaelni@gmx.at>
> 
> Our decoder does not support changing w/h.
> 
> Fixes CVE-2012-2777 and CVE-2012-2784.
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Signed-off-by: Anton Khirnov <anton@khirnov.net>
> ---
>  libavcodec/cavsdec.c |   13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
> index 33e639b..e55e4f6 100644
> --- a/libavcodec/cavsdec.c
> +++ b/libavcodec/cavsdec.c
> @@ -1056,12 +1056,21 @@ static int decode_pic(AVSContext *h) {
>  static int decode_seq_header(AVSContext *h) {
>      MpegEncContext *s = &h->s;
>      int frame_rate_code;
> +    int width, height;
>  
>      h->profile =         get_bits(&s->gb,8);
>      h->level =           get_bits(&s->gb,8);
>      skip_bits1(&s->gb); //progressive sequence
> -    s->width =           get_bits(&s->gb,14);
> -    s->height =          get_bits(&s->gb,14);
> +
> +    width  = get_bits(&s->gb, 14);
> +    height = get_bits(&s->gb, 14);
> +    if ((s->width || s->height) && (s->width != width || s->height != height)) {
> +        av_log_missing_feature(s, "Width/height changing in CAVS is", 0);
> +        return AVERROR_PATCHWELCOME;
> +    }
> +    s->width  = width;
> +    s->height = height;
> +
>      skip_bits(&s->gb,2); //chroma format
>      skip_bits(&s->gb,3); //sample_precision
>      h->aspect_ratio =    get_bits(&s->gb,4);

LGTM

-Justin

Patch

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 33e639b..e55e4f6 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1056,12 +1056,21 @@  static int decode_pic(AVSContext *h) {
 static int decode_seq_header(AVSContext *h) {
     MpegEncContext *s = &h->s;
     int frame_rate_code;
+    int width, height;
 
     h->profile =         get_bits(&s->gb,8);
     h->level =           get_bits(&s->gb,8);
     skip_bits1(&s->gb); //progressive sequence
-    s->width =           get_bits(&s->gb,14);
-    s->height =          get_bits(&s->gb,14);
+
+    width  = get_bits(&s->gb, 14);
+    height = get_bits(&s->gb, 14);
+    if ((s->width || s->height) && (s->width != width || s->height != height)) {
+        av_log_missing_feature(s, "Width/height changing in CAVS is", 0);
+        return AVERROR_PATCHWELCOME;
+    }
+    s->width  = width;
+    s->height = height;
+
     skip_bits(&s->gb,2); //chroma format
     skip_bits(&s->gb,3); //sample_precision
     h->aspect_ratio =    get_bits(&s->gb,4);