[vlc-commits] [Git][videolan/vlc][3.0.x] 3 commits: demux: mp4: fix qtff v1 divbyzero

Thu Sep 29 19:08:44 UTC 2022


David pushed to branch 3.0.x at VideoLAN / VLC


Commits:
2154ab15 by Francois Cartegnie at 2022-09-28T20:54:22+02:00
demux: mp4: fix qtff v1 divbyzero

- - - - -
38bc5514 by Francois Cartegnie at 2022-09-29T21:03:47+02:00
demux: ogg: check ogg_sync_buffer allocs

(cherry picked from commit 03100bbd06a1aeaf0cb580cff8204df3e05cb9eb)

- - - - -
4fcace61 by Romain Vimont at 2022-09-29T21:04:07+02:00
vnc: fix possible buffer overflow

Thanks to 0xMitsurugi [1] from Synacktiv [2] for the bug report and fix.

[1] https://twitter.com/0xMitsurugi
[2] https://www.synacktiv.com/

Fixes #27335

(cherry picked from commit 5eb783fd44ed6298db3e38f7765f21c42e4405f9)

- - - - -


4 changed files:

- modules/access/vnc.c
- modules/demux/mp4/essetup.c
- modules/demux/ogg.c
- modules/demux/oggseek.c


Changes:

=====================================
modules/access/vnc.c
=====================================
@@ -33,6 +33,7 @@
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
+#include <assert.h>
 
 #include <vlc_common.h>
 #include <vlc_plugin.h>
@@ -115,7 +116,7 @@ struct demux_sys_t
     int i_cancel_state;
 
     rfbClient* p_client;
-    int i_framebuffersize;
+    size_t i_framebuffersize;
     block_t *p_block;
 
     float f_fps;
@@ -143,11 +144,16 @@ static rfbBool mallocFrameBufferHandler( rfbClient* p_client )
         p_sys->es = NULL;
     }
 
-    int i_width = p_client->width;
-    int i_height = p_client->height;
-    int i_depth = p_client->format.bitsPerPixel;
+    assert(!(p_client->width & ~0xffff)); // fits in 16 bits
+    uint16_t i_width = p_client->width;
 
-    switch( i_depth )
+    assert(!(p_client->height & ~0xffff)); // fits in 16 bits
+    uint16_t i_height = p_client->height;
+
+    uint8_t i_bits_per_pixel = p_client->format.bitsPerPixel;
+    assert((i_bits_per_pixel & 0x7) == 0); // multiple of 8
+
+    switch( i_bits_per_pixel )
     {
         case 8:
             i_chroma = VLC_CODEC_RGB8;
@@ -180,7 +186,10 @@ static rfbBool mallocFrameBufferHandler( rfbClient* p_client )
     }
 
     /* Set up framebuffer */
-    p_sys->i_framebuffersize = i_width * i_height * i_depth / 8;
+    if (mul_overflow(i_width, i_height * (i_bits_per_pixel / 8), &p_sys->i_framebuffersize)) {
+        msg_Err(p_demux, "VNC framebuffersize overflow");
+        return FALSE;
+    }
 
     /* Reuse unsent block */
     if ( p_sys->p_block )
@@ -211,7 +220,7 @@ static rfbBool mallocFrameBufferHandler( rfbClient* p_client )
     fmt.video.i_frame_rate_base = 1000;
     fmt.video.i_frame_rate = 1000 * p_sys->f_fps;
 
-    fmt.video.i_bits_per_pixel = i_depth;
+    fmt.video.i_bits_per_pixel = i_bits_per_pixel;
     fmt.video.i_rmask = p_client->format.redMax << p_client->format.redShift;
     fmt.video.i_gmask = p_client->format.greenMax << p_client->format.greenShift;
     fmt.video.i_bmask = p_client->format.blueMax << p_client->format.blueShift;


=====================================
modules/demux/mp4/essetup.c
=====================================
@@ -807,11 +807,6 @@ int SetupAudioES( demux_t *p_demux, mp4_track_t *p_track, MP4_Box_t *p_sample )
                 p_track->fmt.i_codec = p_sample->i_type;
                 break;
             }
-
-        }
-        else if( p_soun->i_qt_version == 1 && p_soun->i_sample_per_packet <= 0 )
-        {
-            p_soun->i_qt_version = 0;
         }
     }
     else if( p_sample->data.p_sample_soun->i_qt_version == 1 )
@@ -838,7 +833,8 @@ int SetupAudioES( demux_t *p_demux, mp4_track_t *p_track, MP4_Box_t *p_sample )
         {
             /* redefined sample tables for vbr audio */
         }
-        else if ( p_track->i_sample_size != 0 && p_soun->i_sample_per_packet == 0 )
+        else if ( p_track->i_sample_size != 0 &&
+                  ( p_soun->i_sample_per_packet == 0 || p_soun->i_bytes_per_frame == 0 ) )
         {
             msg_Err( p_demux, "Invalid sample per packet value for qt_version 1. Broken muxer! %u %u",
                      p_track->i_sample_size, p_soun->i_sample_per_packet );
@@ -846,6 +842,15 @@ int SetupAudioES( demux_t *p_demux, mp4_track_t *p_track, MP4_Box_t *p_sample )
         }
     }
 
+    if( p_sample->data.p_sample_soun->i_qt_version == 1 &&
+        ( p_soun->i_sample_per_packet == 0 || /* >0,  1 for uncompressed formats */
+          p_soun->i_bytes_per_frame == 0 /* bytes_per_packet * channels */ ) )
+    {
+        msg_Warn( p_demux, "Invalid sample values for qtff v1. Broken muxer! sz %u spp %u bpf %u",
+                  p_track->i_sample_size, p_soun->i_sample_per_packet, p_soun->i_bytes_per_frame );
+        p_soun->i_qt_version = 0;
+    }
+
     /* Endianness atom */
     const MP4_Box_t *p_enda = MP4_BoxGet( p_sample, "wave/enda" );
     if( !p_enda )


=====================================
modules/demux/ogg.c
=====================================
@@ -987,6 +987,8 @@ static int Ogg_ReadPage( demux_t *p_demux, ogg_page *p_oggpage )
     while( ogg_sync_pageout( &p_ogg->oy, p_oggpage ) != 1 )
     {
         p_buffer = ogg_sync_buffer( &p_ogg->oy, OGGSEEK_BYTES_TO_READ );
+        if( !p_buffer )
+            return VLC_EGENERIC;
 
         i_read = vlc_stream_Read( p_demux->s, p_buffer, OGGSEEK_BYTES_TO_READ );
         if( i_read <= 0 )


=====================================
modules/demux/oggseek.c
=====================================
@@ -204,6 +204,8 @@ static int64_t get_data( demux_t *p_demux, int64_t i_bytes_to_read )
     seek_byte ( p_demux, p_sys->i_input_position );
 
     buf = ogg_sync_buffer( &p_sys->oy, i_bytes_to_read );
+    if( !buf )
+        return 0;
 
     i_result = vlc_stream_Read( p_demux->s, buf, i_bytes_to_read );
 
@@ -1093,6 +1095,8 @@ int64_t oggseek_read_page( demux_t *p_demux )
     ogg_sync_reset( &p_ogg->oy );
 
     buf = ogg_sync_buffer( &p_ogg->oy, i_page_size );
+    if( !buf )
+        return 0;
 
     memcpy( buf, header, PAGE_HEADER_BYTES + i_nsegs );
 



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/13426fb3eb33a64a4c03696a51101e3694806176...4fcace61801f418786c42487c6b06b693ee87666

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/13426fb3eb33a64a4c03696a51101e3694806176...4fcace61801f418786c42487c6b06b693ee87666
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance
