Bug#964300: liboggz2: Segmentation Fault in dirac_parse_info()

To: Rafael Dutra <rafael.dutra@cispa.saarland>, 964300@bugs.debian.org
Subject: Bug#964300: liboggz2: Segmentation Fault in dirac_parse_info()
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 3 Feb 2025 00:02:44 +0100
Message-id: <[🔎] Z5_5lJKL3b5YRpd8@hjemme.reinholdtsen.name>
Reply-to: Petter Reinholdtsen <pere@hungry.com>, 964300@bugs.debian.org
In-reply-to: <68817eeb-72b2-ee5d-adb9-dc6e2afc9a21@cispa.saarland>
References: <68817eeb-72b2-ee5d-adb9-dc6e2afc9a21@cispa.saarland> <68817eeb-72b2-ee5d-adb9-dc6e2afc9a21@cispa.saarland>

[Rafael Dutra]
> Install oggz-tools package. Run the command
> oggz-validate input_file.ogg
> 
> I'm sending attached an input file that triggers the bug.

Thank you.  The following patch change the behaviour a bit:

  serialno 18446744072497266762: missing *** bos
  File contains no Ogg packets

It also get rid of any valgrind issues when checking the file.

diff --git a/src/liboggz/dirac.c b/src/liboggz/dirac.c
index eb616f6..697875e 100644
--- a/src/liboggz/dirac.c
+++ b/src/liboggz/dirac.c
@@ -119,9 +118,18 @@ dirac_parse_info (dirac_info *info, unsigned char * data, long len)
     ogg_uint32_t fps_numerator, fps_denominator;
   } dirac_frate_tbl[] = { /* table 10.3 */
     {1,1}, /* this first value is never used */
-    {24000,1001}, {24,1}, {25,1}, {30000,1001}, {30,1},
-    {50,1}, {60000,1001}, {60,1}, {15000,1001}, {25,2}
+    {24000,1001},
+    {24,1},
+    {25,1},
+    {30000,1001},
+    {30,1},
+    {50,1},
+    {60000,1001},
+    {60,1},
+    {15000,1001},
+    {25,2}
   };
+#define DIRAC_FRATE_TBL_LEN (sizeof(dirac_fsize_tbl) / sizeof(dirac_fsize_tbl[0]))
 
   static const ogg_uint32_t dirac_vidfmt_frate[] = { /* table C.1 */
     1, 9, 10, 9, 10, 9, 10, 4, 3, 7, 6, 4, 3, 7, 6, 2, 2, 7, 6, 7, 6
@@ -152,7 +160,7 @@ dirac_parse_info (dirac_info *info, unsigned char * data, long len)
   info->level = dirac_uint( &bs ); /* level */
   info->video_format = video_format = dirac_uint( &bs ); /* index */
 
-  if (video_format >= (sizeof(dirac_fsize_tbl) / sizeof(dirac_fsize_tbl[0]))) {
+  if (video_format >= DIRAC_FRATE_TBL_LEN) {
     return -1; 
   }
 
@@ -184,6 +192,11 @@ dirac_parse_info (dirac_info *info, unsigned char * data, long len)
   info->fps_denominator = dirac_frate_tbl[dirac_vidfmt_frate[video_format]].fps_denominator;
   if (dirac_bool( &bs )) {
     ogg_uint32_t frame_rate_index = dirac_uint( &bs );
+
+    if (frame_rate_index >= DIRAC_FRATE_TBL_LEN) {
+      return -1;
+    }
+
     info->fps_numerator = dirac_frate_tbl[frame_rate_index].fps_numerator;
     info->fps_denominator = dirac_frate_tbl[frame_rate_index].fps_denominator;
     if (frame_rate_index == 0) {

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Bug#964300: liboggz2: Segmentation Fault in dirac_parse_info()
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Bug#1089574: marked as done (blender:FTBFS:build failure on riscv (error: #error Please add support for your architecture in BLI_build_config.h))
Next by Date: Bug#964301: liboggz2: Segmentation Fault (write) in auto_calc_theora()
Previous by thread: Bug#1089574: marked as done (blender:FTBFS:build failure on riscv (error: #error Please add support for your architecture in BLI_build_config.h))
Next by thread: Bug#964300: liboggz2: Segmentation Fault in dirac_parse_info()
Index(es):
- Date
- Thread