From 73d6f4651e64846c9a279357c158a32c6ffbd4f7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 20 Feb 2013 11:41:20 -0500 Subject: [PATCH 1/5] ac3dec: validate channel output mode against channel count Damaged frames can lead to a mismatch, which can cause a segfault due to using an incorrect channel mapping. CC:libav-stable@libav.org (cherry picked from commit d7c450436fcb9d3ecf59884a574e7684183e753d) Conflicts: libavcodec/ac3dec.c --- libavcodec/ac3dec.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index f15bfa2a07..0d1ba89de5 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1336,8 +1336,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, if (!err) { avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + } - /* channel config */ + /* channel config */ + if (!err || (s->channels && s->out_channels != s->channels)) { s->out_channels = s->channels; s->output_mode = s->channel_mode; if (s->lfe_on) @@ -1356,18 +1358,18 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, s->fbw_channels == s->out_channels)) { set_downmix_coeffs(s); } - } else if (!s->out_channels) { - s->out_channels = avctx->channels; - if (s->out_channels < s->channels) - s->output_mode = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO; + } else if (!s->channels) { + av_log(avctx, AV_LOG_ERROR, "unable to determine channel mode\n"); + return AVERROR_INVALIDDATA; } + avctx->channels = s->out_channels; + /* set audio service type based on bitstream mode for AC-3 */ avctx->audio_service_type = s->bitstream_mode; if (s->bitstream_mode == 0x7 && s->channels > 1) avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ - avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From 37e99e384e37364fca13dc6a70111adb1c356fa2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 24 Feb 2013 12:30:30 +0100 Subject: [PATCH 2/5] vorbisdec: Add missing checks Rate and order must not be 0 even if the specification does not say that explicitly. (cherry picked from commit 5b47c19bfda92273ae49e83db26a565afcaed80a) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index aac9019ed6..4b87ef96a4 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -585,7 +585,17 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) floor_setup->decode = vorbis_floor0_decode; floor_setup->data.t0.order = get_bits(gb, 8); + if (!floor_setup->data.t0.order) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 order is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.rate = get_bits(gb, 16); + if (!floor_setup->data.t0.rate) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 rate is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.bark_map_size = get_bits(gb, 16); floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * From 494ddd377ada76ed555f7a3f49391455daa099c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Jan 2013 00:54:12 +0100 Subject: [PATCH 3/5] vorbisdec: Error on bark_map_size equal to 0. The value is used to calculate output LSP curve and a division by zero and out of array accesses would occur. CVE-2013-0894 CC: libav-stable@libav.org Reported-by: Dale Curtis Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer Signed-off-by: Luca Barbato (cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 4b87ef96a4..cfa89be26c 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -597,6 +597,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR_INVALIDDATA; } floor_setup->data.t0.bark_map_size = get_bits(gb, 16); + if (floor_setup->data.t0.bark_map_size == 0) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 bark map size is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */ From c6c4dc69354f72376708ded9bb56af4a58082f1d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 24 Feb 2013 16:56:15 +0100 Subject: [PATCH 4/5] vorbisdec: Accept 0 amplitude_bits The specification does not prevent an encoder to write the amplitude 0 as 0 amplitude_bits. Our get_bits() implementation might not support a zero sized read properly, thus the additional branch. (cherry picked from commit 23bd9ef4b209c789d5473d75f89a2e411d343d80) Conflicts: libavcodec/vorbisdec.c --- libavcodec/vorbisdec.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index cfa89be26c..884cd5bb45 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -603,13 +603,6 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR_INVALIDDATA; } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); - /* zero would result in a div by zero later * - * 2^0 - 1 == 0 */ - if (floor_setup->data.t0.amplitude_bits == 0) { - av_log(vc->avccontext, AV_LOG_ERROR, - "Floor 0 amplitude bits is 0.\n"); - return AVERROR_INVALIDDATA; - } floor_setup->data.t0.amplitude_offset = get_bits(gb, 8); floor_setup->data.t0.num_books = get_bits(gb, 4) + 1; @@ -1063,6 +1056,9 @@ static int vorbis_floor0_decode(vorbis_context *vc, unsigned amplitude, book_idx; unsigned blockflag = vc->modes[vc->mode_number].blockflag; + if (!vf->amplitude_bits) + return 1; + amplitude = get_bits(&vc->gb, vf->amplitude_bits); if (amplitude > 0) { float last = 0; From 1b0082eabcc98e079d33c61da4d30ded89de68a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 1 Mar 2013 16:30:44 +0200 Subject: [PATCH 5/5] flvdec: Don't read the VP6 header byte when setting codec type based on metadata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This header byte is only present when actually reading a VP6 frame, not when reading the codec type field in the metadata. This potential bug has been present since 5b54a90c. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c91c63b5380bf79655c09320774a022f84d76fd5) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 7d5ea56cdd..e45a9a2bfa 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -201,7 +201,7 @@ static int flv_same_video_codec(AVCodecContext *vcodec, int flags) return 0; } -static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid) { +static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid, int read) { AVCodecContext *vcodec = vstream->codec; switch(flv_codecid) { case FLV_CODECID_H263 : vcodec->codec_id = AV_CODEC_ID_FLV1 ; break; @@ -211,11 +211,13 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_co case FLV_CODECID_VP6A : if(flv_codecid == FLV_CODECID_VP6A) vcodec->codec_id = AV_CODEC_ID_VP6A; - if(vcodec->extradata_size != 1) { - vcodec->extradata_size = 1; - vcodec->extradata = av_malloc(1); + if (read) { + if (vcodec->extradata_size != 1) { + vcodec->extradata_size = 1; + vcodec->extradata = av_malloc(1); + } + vcodec->extradata[0] = avio_r8(s->pb); } - vcodec->extradata[0] = avio_r8(s->pb); return 1; // 1 byte body size adjustment for flv_read_packet() case FLV_CODECID_H264: vcodec->codec_id = AV_CODEC_ID_H264; @@ -408,7 +410,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst st->codec->codec_id = AV_CODEC_ID_TEXT; } else if (flv->trust_metadata) { if (!strcmp(key, "videocodecid") && vcodec) { - flv_set_video_codec(s, vstream, num_val); + flv_set_video_codec(s, vstream, num_val, 0); } else if (!strcmp(key, "audiocodecid") && acodec) { flv_set_audio_codec(s, astream, acodec, num_val); @@ -766,7 +768,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) sample_rate = ctx.sample_rate; } }else{ - size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK); + size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1); } if (st->codec->codec_id == AV_CODEC_ID_AAC ||