[FFmpeg-devel] [PATCH] interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Tue Nov 1 01:40:26 EET 2016 

On 31.10.2016 08:33, Paul B Mahol wrote:
> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
>> On 30.10.2016 22:18, Paul B Mahol wrote:
>>> On 10/30/16, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
>>>> This fixes out-of-bounds reads by the bitstream reader.
>>>>
>>>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>>>> ---
>>>>  libavcodec/interplayacm.c | 2 +-
>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
>>>> index 0486e00..f4a3446 100644
>>>> --- a/libavcodec/interplayacm.c
>>>> +++ b/libavcodec/interplayacm.c
>>>> @@ -72,7 +72,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
>>>>      s->block   = av_calloc(s->block_len, sizeof(int));
>>>>      s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
>>>>      s->ampbuf  = av_calloc(0x10000, sizeof(int));
>>>> -    s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
>>>> +    s->bitstream = av_calloc(s->max_framesize +
>>>> AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1,
>>>
>>> How did you came up with this fix?
>>> Little background would help.
>>
>> The out-of-bounds read happens in get_bits called from linear.
>> The buffer passed to init_get_bits8 is &s->bitstream[s->bitstream_index].
>> The get_bits documentation says:
>> /**
>>  * Initialize GetBitContext.
>>  * @param buffer bitstream buffer, must be AV_INPUT_BUFFER_PADDING_SIZE
>> bytes
>>  *        larger than the actual read bits because some optimized bitstream
>>  *        readers read 32 or 64 bit at once and could read over the end
>>  * @param byte_size the size of the buffer in bytes
>>  * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would
>> overflow.
>>  */
>> static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer,
>>                                  int byte_size)
>>
>> Increasing the buffer size fixed the problem, so the case seems quite clear.
>>
>> Best regards,
>> Andreas
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
> 
> ok

Pushed.

Best regards,
Andreas

More information about the ffmpeg-devel mailing list