[vlc-commits] [Git][videolan/vlc][master] 3 commits: decoder: update i_bitspersample

Thu Sep 29 19:02:37 UTC 2022


David pushed to branch master at VideoLAN / VLC


Commits:
2c2df214 by Romain Vimont at 2022-09-29T21:02:13+02:00
decoder: update i_bitspersample

The field i_bytes_per_frame was updated, but not i_bitspersample,
causing an inconsistency leading to a buffer overflow.

Fixes #26930

- - - - -
03100bbd by Francois Cartegnie at 2022-09-29T21:02:14+02:00
demux: ogg: check ogg_sync_buffer allocs

- - - - -
5eb783fd by Romain Vimont at 2022-09-29T21:02:14+02:00
vnc: fix possible buffer overflow

Thanks to 0xMitsurugi [1] from Synacktiv [2] for the bug report and fix.

[1] https://twitter.com/0xMitsurugi
[2] https://www.synacktiv.com/

Fixes #27335

- - - - -


4 changed files:

- modules/access/vnc.c
- modules/demux/ogg.c
- modules/demux/oggseek.c
- src/input/decoder.c


Changes:

=====================================
modules/access/vnc.c
=====================================
@@ -33,6 +33,7 @@
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
+#include <assert.h>
 
 #include <vlc_common.h>
 #include <vlc_plugin.h>
@@ -116,7 +117,7 @@ typedef struct
     vlc_sem_t closing;
 
     rfbClient* p_client;
-    int i_framebuffersize;
+    size_t i_framebuffersize;
     block_t *p_block;
 
     float f_fps;
@@ -144,11 +145,16 @@ static rfbBool mallocFrameBufferHandler( rfbClient* p_client )
         p_sys->es = NULL;
     }
 
-    int i_width = p_client->width;
-    int i_height = p_client->height;
-    int i_depth = p_client->format.bitsPerPixel;
+    assert(!(p_client->width & ~0xffff)); // fits in 16 bits
+    uint16_t i_width = p_client->width;
 
-    switch( i_depth )
+    assert(!(p_client->height & ~0xffff)); // fits in 16 bits
+    uint16_t i_height = p_client->height;
+
+    uint8_t i_bits_per_pixel = p_client->format.bitsPerPixel;
+    assert((i_bits_per_pixel & 0x7) == 0); // multiple of 8
+
+    switch( i_bits_per_pixel )
     {
         case 8:
             i_chroma = VLC_CODEC_RGB8;
@@ -187,7 +193,10 @@ static rfbBool mallocFrameBufferHandler( rfbClient* p_client )
     }
 
     /* Set up framebuffer */
-    p_sys->i_framebuffersize = i_width * i_height * i_depth / 8;
+    if (mul_overflow(i_width, i_height * (i_bits_per_pixel / 8), &p_sys->i_framebuffersize)) {
+        msg_Err(p_demux, "VNC framebuffersize overflow");
+        return FALSE;
+    }
 
     /* Reuse unsent block */
     if ( p_sys->p_block )
@@ -218,7 +227,7 @@ static rfbBool mallocFrameBufferHandler( rfbClient* p_client )
     fmt.video.i_frame_rate_base = 1000;
     fmt.video.i_frame_rate = 1000 * p_sys->f_fps;
 
-    fmt.video.i_bits_per_pixel = i_depth;
+    fmt.video.i_bits_per_pixel = i_bits_per_pixel;
     fmt.video.i_rmask = p_client->format.redMax << p_client->format.redShift;
     fmt.video.i_gmask = p_client->format.greenMax << p_client->format.greenShift;
     fmt.video.i_bmask = p_client->format.blueMax << p_client->format.blueShift;


=====================================
modules/demux/ogg.c
=====================================
@@ -920,6 +920,8 @@ static int Ogg_ReadPage( demux_t *p_demux, ogg_page *p_oggpage )
     while( ogg_sync_pageout( &p_ogg->oy, p_oggpage ) != 1 )
     {
         p_buffer = ogg_sync_buffer( &p_ogg->oy, OGGSEEK_BYTES_TO_READ );
+        if( !p_buffer )
+            return VLC_EGENERIC;
 
         i_read = vlc_stream_Read( p_demux->s, p_buffer, OGGSEEK_BYTES_TO_READ );
         if( i_read <= 0 )


=====================================
modules/demux/oggseek.c
=====================================
@@ -197,6 +197,8 @@ static int64_t get_data( demux_t *p_demux, int64_t i_bytes_to_read )
     seek_byte ( p_demux, p_sys->i_input_position );
 
     buf = ogg_sync_buffer( &p_sys->oy, i_bytes_to_read );
+    if( !buf )
+        return 0;
 
     i_result = vlc_stream_Read( p_demux->s, buf, i_bytes_to_read );
 
@@ -968,6 +970,8 @@ int64_t oggseek_read_page( demux_t *p_demux )
     ogg_sync_reset( &p_ogg->oy );
 
     buf = ogg_sync_buffer( &p_ogg->oy, i_page_size );
+    if( !buf )
+        return 0;
 
     memcpy( buf, header, PAGE_HEADER_BYTES + i_nsegs );
 


=====================================
src/input/decoder.c
=====================================
@@ -475,6 +475,8 @@ static int ModuleThread_UpdateAudioFormat( decoder_t *p_dec )
 
         p_dec->fmt_out.audio.i_bytes_per_frame =
             p_owner->fmt.audio.i_bytes_per_frame;
+        p_dec->fmt_out.audio.i_bitspersample =
+            p_owner->fmt.audio.i_bitspersample;
         p_dec->fmt_out.audio.i_frame_length =
             p_owner->fmt.audio.i_frame_length;
 



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/bd9ba4a8e67e83af9acc824b739e1e7fdddbfb41...5eb783fd44ed6298db3e38f7765f21c42e4405f9

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/bd9ba4a8e67e83af9acc824b739e1e7fdddbfb41...5eb783fd44ed6298db3e38f7765f21c42e4405f9
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance
