From patchwork Thu Jun 27 21:11:30 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gregor Jasny <gjasny@googlemail.com>
X-Patchwork-Id: 19099
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1UsJTp-0002L5-HL; Thu, 27 Jun 2013 23:11:49 +0200
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.72/mailfrontend-5) with esmtp
	id 1UsJTn-0001E2-8c; Thu, 27 Jun 2013 23:11:49 +0200
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754104Ab3F0VLp (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Thu, 27 Jun 2013 17:11:45 -0400
Received: from mail-ee0-f41.google.com ([74.125.83.41]:43282 "EHLO
	mail-ee0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753849Ab3F0VLo (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Thu, 27 Jun 2013 17:11:44 -0400
Received: by mail-ee0-f41.google.com with SMTP id d17so663428eek.28
	for <linux-media@vger.kernel.org>;
	Thu, 27 Jun 2013 14:11:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references;
	bh=ucWBa4iUkeltZK2gI139SpmuRezUMM5dNhYvpsTZ+mQ=;
	b=INIToFQmCOH48Af6pZLsCPwW8MJIyMbvw4hpvhHjgc5599CaD6P+9znDKLNPZQdxX3
	VffQd18InbVSjnmPwV++n32aqru63ZYxdJioYZx8xYexykoAVVFgQJ6saMz5Txttx58p
	OkxXCfITqjgTwF9h93SYt29I3qJ2qhUZM/a+pT/eAto+07x5vfFLqqnQRDnqKTaTSEFa
	ZyyjDm15rmckiOb1mliNjB//rWhG1UBr/RNHnTRSQdlKYyjvORqpnNx2f1TpvopXDfWV
	+LHlEe2oZGFpG5lRI5QVW53HiT/+PSrVxGkp+OTb9uP/Mj9wQLjwIwwUYhKjtnTN1mE3
	nxjQ==
X-Received: by 10.14.38.14 with SMTP id z14mr10835249eea.49.1372367503449;
	Thu, 27 Jun 2013 14:11:43 -0700 (PDT)
Received: from sid.fritz.box (g229037005.adsl.alicedsl.de. [92.229.37.5])
	by mx.google.com with ESMTPSA id
	p49sm6269104eeu.2.2013.06.27.14.11.41 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 27 Jun 2013 14:11:42 -0700 (PDT)
From: Gregor Jasny <gjasny@googlemail.com>
To: linux-media@vger.kernel.org
Cc: Gregor Jasny <gjasny@googlemail.com>
Subject: [PATCH 1/2] libv4lconvert: Prevent integer overflow by checking
	width and height
Date: Thu, 27 Jun 2013 23:11:30 +0200
Message-Id: <1372367491-13187-2-git-send-email-gjasny@googlemail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1372367491-13187-1-git-send-email-gjasny@googlemail.com>
References: <1372367491-13187-1-git-send-email-gjasny@googlemail.com>
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2013.6.27.210624
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0,
	BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_7000_LESS 0, DKIM_SIGNATURE 0, URI_ENDS_IN_HTML 0,
	__ANY_URI 0, __CP_URI_IN_BODY 0, __FRAUD_BODY_WEBMAIL 0,
	__FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __HAS_FROM 0,
	__HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0,
	__IN_REP_TO 0, __MIME_TEXT_ONLY 0, __PHISH_SPEAR_STRUCTURE_1 0,
	__SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0,
	__TO_NO_NAME 0, __URI_NS , __YOUTUBE_RCVD 0'

The Mayhem Team found a crash caused by an integer overflow.
Details are here:
http://www.forallsecure.com/bug-reports/8aae67d864bce76993f3f9812b4a2aeea0eb38da/

Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
---
 lib/libv4lconvert/ov511-decomp.c | 7 ++++++-
 lib/libv4lconvert/ov518-decomp.c | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/libv4lconvert/ov511-decomp.c b/lib/libv4lconvert/ov511-decomp.c
index 90fc4b1..971d497 100644
--- a/lib/libv4lconvert/ov511-decomp.c
+++ b/lib/libv4lconvert/ov511-decomp.c
@@ -14,6 +14,7 @@
  * Free Software Foundation; version 2 of the License.
  */
 
+#include <limits.h>
 #include <string.h>
 #include <unistd.h>
 #include "helper-funcs.h"
@@ -640,7 +641,11 @@ int main(int argc, char *argv[])
 
 
 		dest_size = width * height * 3 / 2;
-		if (dest_size > sizeof(dest_buf)) {
+		if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+			fprintf(stderr, "%s: error: width or height out of bounds\n",
+					argv[0]);
+			dest_size = -1;
+		} else if (dest_size > sizeof(dest_buf)) {
 			fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
 					argv[0], dest_size);
 			dest_size = -1;
diff --git a/lib/libv4lconvert/ov518-decomp.c b/lib/libv4lconvert/ov518-decomp.c
index 47b5cbb..91d908c 100644
--- a/lib/libv4lconvert/ov518-decomp.c
+++ b/lib/libv4lconvert/ov518-decomp.c
@@ -15,6 +15,7 @@
  * Free Software Foundation; version 2 of the License.
  */
 
+#include <limits.h>
 #include <string.h>
 #include <unistd.h>
 #include "helper-funcs.h"
@@ -1454,7 +1455,11 @@ int main(int argc, char *argv[])
 
 
 		dest_size = width * height * 3 / 2;
-		if (dest_size > sizeof(dest_buf)) {
+		if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+			fprintf(stderr, "%s: error: width or height out of bounds\n",
+					argv[0]);
+			dest_size = -1;
+		} else if (dest_size > sizeof(dest_buf)) {
 			fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
 					argv[0], dest_size);
 			dest_size = -1;