Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/vc1_block: Fix mqaunt check for negative values
Fixes: out of array access
Fixes: ffmpeg_bof_4.avi
Fixes: ffmpeg_bof_5.avi
Fixes: ffmpeg_bof_6.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Reviewed-by: Jerome Borsboom <jerome.borsboom@carpalis.nl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Jun 29, 2018
1 parent 5a99e00 commit d08d4a8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libavcodec/vc1_block.c
Expand Up @@ -207,7 +207,7 @@ static void vc1_put_blocks_clamped(VC1Context *v, int put_signed)
if ((edges&8) && \
s->mb_y == ((s->mb_height >> v->field_mode) - 1)) \
mquant = -v->altpq; \
if (!mquant || mquant > 31) { \
if (!mquant || mquant > 31 || mquant < -31) { \
av_log(v->s.avctx, AV_LOG_ERROR, \
"Overriding invalid mquant %d\n", mquant); \
mquant = 1; \
Expand Down

5 comments on commit d08d4a8

@thuanpv
Copy link

@thuanpv thuanpv commented on d08d4a8 Jul 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2018-13305

@Mingli-Yu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per https://nvd.nist.gov/vuln/detail/CVE-2018-13305, this issue exists in the vc1_put_blocks_clamped function of libavcodec/vc1_block.c. But there is no vc1_put_blocks_clamped function in ffmpeg 4.0.1 and ffmpeg 4.0.2, does it should be vc1_put_signed_blocks_clamped function in libavcodec/vc1_block.c?

@michaelni
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This issue to the best of my knowledge was introduced by 144ce36 which is not part of any release. Thus there should be nothing in 4.0.1 or 4.0.2 that has any issue

@Mingli-Yu
Copy link

@Mingli-Yu Mingli-Yu commented on d08d4a8 Aug 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Michael!
If so, ffmpeg 4.0.1 and ffmpeg 4.0.2 don't have this CVE-2018-13305 issue.

@thuanpv
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Michael and Mingli. Let me check the case again and I will contact the CVE team to update the description if needed. I did run and confirm the bug-triggering inputs with ffmpeg revision 7becc70 in the master branch (committed on 26 June 2018). It was the reason why I marked ffmpeg 4.0.1 as the newest affected release (16 June 2018). FFmpeg 4.0.2 doesn't have this issue.

Please sign in to comment.