Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#7872 closed defect (fixed)

libavcodec/scpr.c:decompress_p Uninitialized variable access

Reported by: fisher Owned by:
Priority: normal Component: avcodec
Version: git-master Keywords: scpr
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

in libavcodec/scpr.c,decompress_p function has a uninitialized variable |min|, decode_value() can fail without assigning a value to |min|.so in min += temp << 8; Uninitialized variable access happens.

static int decompress_p(AVCodecContext *avctx,

uint32_t *dst, int linesize,
uint32_t *prev, int plinesize)

{

SCPRContext *s = avctx->priv_data;
GetByteContext *gb = &s->gb;
int ret, temp = 0, min, max, x, y, cx = 0, cx1 = 0;
int backstep = linesize - avctx->width;

if (bytestream2_get_byte(gb) == 0)

return 1;

bytestream2_skip(gb, 1);
init_rangecoder(&s->rc, gb);

ret = decode_value(s, s->range_model, 256, 1, &min);
ret |= decode_value(s, s->range_model, 256, 1, &temp);
min += temp << 8;

Change History (7)

comment:1 by Carl Eugen Hoyos, 5 years ago

Keywords: scpr added
Resolution: fixed
Status: newclosed
Version: unspecifiedgit-master

comment:2 by fisher, 5 years ago

will Ffmpeg give me a credit or acknowledgement ?

comment:3 by Elon Musk, 5 years ago

This is not security bug.

comment:4 by fisher, 5 years ago

you think Uninitialized variable access is not a security bug?

comment:5 by Elon Musk, 5 years ago

Exactly.

comment:6 by fisher, 5 years ago

hope ffmpeg will not attack by this kind of bug. By the way,are you security engineer of ffmpeg or a developer

comment:7 by Elon Musk, 5 years ago

If you want to report security issues: see http://ffmpeg.org/security.html

Note: See TracTickets for help on using tickets.