From 3eb6983dbcfafc639ad3b9e34a5b4f8ff736310b Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 28 Oct 2011 23:50:04 -0700 Subject: [PATCH 1/3] vp3: fix oob read for negative tokens and memleaks on error. (cherry picked from commit 8370e426e42f2e4b9d14a1fb8107ecfe5163ce7f) Fixes: #189 Chromium-Bug: 101172,100465 CVE-2011-3892 Removed the parts that are related to multi-threading, which is not included before 0.7. Signed-off-by: Reinhard Tartler (cherry picked from commit c624935554332f8921a15265b8720f0c7b3c8cc2) Conflicts: libavcodec/vp3.c (cherry picked from commit c9c7db0af2a0fc14764a07f0e61cebf11238e3c2) Conflicts: libavcodec/vp3.c Signed-off-by: Reinhard Tartler --- libavcodec/vp3.c | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 429c4f98a4..69248d6775 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1011,12 +1011,12 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, /* decode a VLC into a token */ token = get_vlc2(gb, table->table, 5, 3); /* use the token to get a zero run, a coefficient, and an eob run */ - if (token <= 6) { + if ((unsigned) token <= 6U) { eob_run = eob_run_base[token]; if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); coeff = zero_run = 0; - } else { + } else if (token >= 0) { bits_to_get = coeff_get_bits[token]; if (!bits_to_get) coeff = coeff_tables[token][0]; @@ -1026,6 +1026,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, zero_run = zero_run_base[token]; if (zero_run_get_bits[token]) zero_run += get_bits(gb, zero_run_get_bits[token]); + } else { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid token %d\n", token); + return -1; } } @@ -1071,6 +1075,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) /* unpack the C plane DC coefficients */ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); @@ -1080,36 +1086,52 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) for (i = 1; i <= 5; i++) { residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_1[ac_y_table], i, s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_1[ac_c_table], i, s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } /* unpack the group 2 AC coefficients (coeffs 6-14) */ for (i = 6; i <= 14; i++) { residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_2[ac_y_table], i, s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_2[ac_c_table], i, s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } /* unpack the group 3 AC coefficients (coeffs 15-27) */ for (i = 15; i <= 27; i++) { residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_3[ac_y_table], i, s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_3[ac_c_table], i, s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } /* unpack the group 4 AC coefficients (coeffs 28-63) */ for (i = 28; i <= 63; i++) { residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_4[ac_y_table], i, s->first_coded_y_fragment, s->last_coded_y_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; residual_eob_run = unpack_vlcs(s, gb, &s->ac_vlc_4[ac_c_table], i, s->first_coded_c_fragment, s->last_coded_c_fragment, residual_eob_run); + if (residual_eob_run < 0) + return residual_eob_run; } return 0; From 665421f3b1a626610206410e5dc12e5e236b92a2 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:25:41 +0100 Subject: [PATCH 2/3] vorbis: Avoid some out-of-bounds reads Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be) Signed-off-by: Reinhard Tartler (cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4) Signed-off-by: Reinhard Tartler (cherry picked from commit 6d6254ba9fbb22260939c06db1faed5bbd295ad4) Conflicts: libavcodec/vorbis.c --- libavcodec/vorbis.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index dbc409f8d7..13e7e65b0f 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -146,13 +146,13 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) { } } -static void render_line(int x0, int y0, int x1, int y1, float * buf) { +static void render_line(int x0, uint8_t y0, int x1, int y1, float * buf) { int dy = y1 - y0; int adx = x1 - x0; int base = dy / adx; int ady = FFABS(dy) - FFABS(base) * adx; int x = x0; - int y = y0; + uint8_t y = y0; int err = 0; int sy = dy<0 ? -1 : 1; buf[x] = ff_vorbis_floor1_inverse_db_table[y]; @@ -168,7 +168,8 @@ static void render_line(int x0, int y0, int x1, int y1, float * buf) { } void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint_fast16_t * y_list, int * flag, int multiplier, float * out, int samples) { - int lx, ly, i; + int lx, i; + uint8_t ly; lx = 0; ly = y_list[0] * multiplier; for (i = 1; i < values; i++) { From 7ee536e87a569174775dabdd959a9b12c1d2ac3d Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Thu, 5 Jan 2012 21:19:30 +0100 Subject: [PATCH 3/3] matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc() Fixes bug #190 Chromium bug #100492 related to CVE-2011-3893 Signed-off-by: Reinhard Tartler (cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657) Signed-off-by: Reinhard Tartler (cherry picked from commit 1f625431e2bb9564760fba3ab8077ae07ce7c7a1) Signed-off-by: Reinhard Tartler (cherry picked from commit 90a4a467477be8c292daa08a9516ee78ca0d517b) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index d9ffec3727..e16cd1efd4 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1063,13 +1063,13 @@ static void matroska_convert_tags(AVFormatContext *s) static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) { EbmlList *seekhead_list = &matroska->seekhead; - MatroskaSeekhead *seekhead = seekhead_list->elem; uint32_t level_up = matroska->level_up; int64_t before_pos = url_ftell(matroska->ctx->pb); MatroskaLevel level; int i; for (i=0; inb_elem; i++) { + MatroskaSeekhead *seekhead = seekhead_list->elem; int64_t offset = seekhead[i].pos + matroska->segment_start; if (seekhead[i].pos <= before_pos