Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
avcodec/vc1_block: Fix mqaunt check for negative values
Fixes: out of array access Fixes: ffmpeg_bof_4.avi Fixes: ffmpeg_bof_5.avi Fixes: ffmpeg_bof_6.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Reviewed-by: Jerome Borsboom <jerome.borsboom@carpalis.nl> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
- Loading branch information
d08d4a8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is CVE-2018-13305
d08d4a8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per https://nvd.nist.gov/vuln/detail/CVE-2018-13305, this issue exists in the vc1_put_blocks_clamped function of libavcodec/vc1_block.c. But there is no vc1_put_blocks_clamped function in ffmpeg 4.0.1 and ffmpeg 4.0.2, does it should be vc1_put_signed_blocks_clamped function in libavcodec/vc1_block.c?
d08d4a8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This issue to the best of my knowledge was introduced by 144ce36 which is not part of any release. Thus there should be nothing in 4.0.1 or 4.0.2 that has any issue
d08d4a8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Michael!
If so, ffmpeg 4.0.1 and ffmpeg 4.0.2 don't have this CVE-2018-13305 issue.
d08d4a8There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Michael and Mingli. Let me check the case again and I will contact the CVE team to update the description if needed. I did run and confirm the bug-triggering inputs with ffmpeg revision 7becc70 in the master branch (committed on 26 June 2018). It was the reason why I marked ffmpeg 4.0.1 as the newest affected release (16 June 2018). FFmpeg 4.0.2 doesn't have this issue.