From e44f653d013abdad41e814250df65cb1fa96a290 Mon Sep 17 00:00:00 2001
From: Tielei <wangtielei@icst.pku.edu.cn>
Date: Wed, 20 Aug 2008 10:08:00 +0000
Subject: Integer overflow in ff_audio_decode_data() There is an integer
 overflow bug in ff_audio_decode_data(). A crafted file could cause heap
 crash.

--HG--
extra : transplant_source : FxpH6%A3%B7%C5%DA9%5B%F6h%AFKm%93%EA%1Bv
---
 src/combined/ffmpeg/ff_audio_decoder.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/combined')

diff --git a/src/combined/ffmpeg/ff_audio_decoder.c b/src/combined/ffmpeg/ff_audio_decoder.c
index b3b54ab0a..a08c3ac35 100644
--- a/src/combined/ffmpeg/ff_audio_decoder.c
+++ b/src/combined/ffmpeg/ff_audio_decoder.c
@@ -249,6 +249,8 @@ static void ff_audio_decode_data (audio_decoder_t *this_gen, buf_element_t *buf)
 
               if (extradata + data_len > this->size)
                 break; /* abort early - extradata length is bad */
+              if (extradata > INT_MAX - data_len)
+                break;/*integer overflow*/
 
 	      this->context->extradata_size = data_len;
 	      this->context->extradata      = malloc(this->context->extradata_size +
-- 
cgit v1.2.3


From 104278cb4cf805fc875ebd49b4a4b8f369b91c7d Mon Sep 17 00:00:00 2001
From: Darren Salt <linux@youmustbejoking.demon.co.uk>
Date: Mon, 25 Aug 2008 13:50:32 +0100
Subject: Fix a possible heap buffer overflow in the ffmpeg video decoder. This
 could happen where the actual image height is not a multiple of 16.

--HG--
extra : transplant_source : %10%BD%8C%FE%BA%CA0%D5k%8A%9CH%DD%B1-%A7E4%CD%E6
---
 src/combined/ffmpeg/ff_video_decoder.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

(limited to 'src/combined')

diff --git a/src/combined/ffmpeg/ff_video_decoder.c b/src/combined/ffmpeg/ff_video_decoder.c
index ac101d77e..e643708df 100644
--- a/src/combined/ffmpeg/ff_video_decoder.c
+++ b/src/combined/ffmpeg/ff_video_decoder.c
@@ -606,6 +606,10 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
   su = this->av_frame->data[1];
   sv = this->av_frame->data[2];
 
+  /* Some segfaults & heap corruption have been observed with img->height,
+   * so we use this->bih.biHeight instead (which is the displayed height)
+   */
+
   if (this->context->pix_fmt == PIX_FMT_YUV410P) {
 
     yuv9_to_yv12(
@@ -626,7 +630,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
       img->pitches[2],
      /* width x height */
       img->width,
-      img->height);
+      this->bih.biHeight);
 
   } else if (this->context->pix_fmt == PIX_FMT_YUV411P) {
 
@@ -648,7 +652,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
       img->pitches[2],
      /* width x height */
       img->width,
-      img->height);
+      this->bih.biHeight);
 
   } else if (this->context->pix_fmt == PIX_FMT_RGBA32) {
           
@@ -656,7 +660,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
     uint32_t *argb_pixels;
     uint32_t argb;
 
-    for(y = 0; y < img->height; y++) {
+    for(y = 0; y < this->bih.biHeight; y++) {
       argb_pixels = (uint32_t *)sy;
       for(x = 0; x < img->width; x++) {
         uint8_t r, g, b;
@@ -684,7 +688,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
     uint8_t *src;
     uint16_t pixel16;
 
-    for(y = 0; y < img->height; y++) {
+    for(y = 0; y < this->bih.biHeight; y++) {
       src = sy;
       for(x = 0; x < img->width; x++) {
         uint8_t r, g, b;
@@ -713,7 +717,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
     uint8_t *src;
     uint16_t pixel16;
             
-    for(y = 0; y < img->height; y++) {
+    for(y = 0; y < this->bih.biHeight; y++) {
       src = sy;
       for(x = 0; x < img->width; x++) {
         uint8_t r, g, b;
@@ -741,7 +745,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
     int x, plane_ptr = 0;
     uint8_t *src;
 
-    for(y = 0; y < img->height; y++) {
+    for(y = 0; y < this->bih.biHeight; y++) {
       src = sy;
       for(x = 0; x < img->width; x++) {
         uint8_t r, g, b;
@@ -765,7 +769,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
     int x, plane_ptr = 0;
     uint8_t *src;
 
-    for(y = 0; y < img->height; y++) {
+    for(y = 0; y < this->bih.biHeight; y++) {
       src = sy;
       for(x = 0; x < img->width; x++) {
         uint8_t r, g, b;
@@ -808,7 +812,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
       v_palette[x] = COMPUTE_V(r, g, b);
     }
 
-    for(y = 0; y < img->height; y++) {
+    for(y = 0; y < this->bih.biHeight; y++) {
       src = sy;
       for(x = 0; x < img->width; x++) {
         pixel = *src++;
@@ -825,7 +829,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
           
   } else {
           
-    for (y=0; y<img->height; y++) {
+    for (y = 0; y < this->bih.biHeight; y++) {
       xine_fast_memcpy (dy, sy, img->width);
   
       dy += img->pitches[0];
@@ -833,7 +837,7 @@ static void ff_convert_frame(ff_video_decoder_t *this, vo_frame_t *img) {
       sy += this->av_frame->linesize[0];
     }
 
-    for (y=0; y<(img->height/2); y++) {
+    for (y = 0; y < this->bih.biHeight / 2; y++) {
       
       if (this->context->pix_fmt != PIX_FMT_YUV444P) {
         
-- 
cgit v1.2.3