Skip to content

Fix warning logical-op-parentheses #9

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix warning logical-op-parentheses #9

wants to merge 1 commit into from

Conversation

jhasse
Copy link
Contributor

@jhasse jhasse commented Nov 13, 2019 

lib/decinfo.c:58:42: warning: '&&' within '||' [-Wlogical-op-parentheses]

@rillian
Copy link
Contributor

rillian commented Feb 27, 2020

Thanks for the patch. I've merged this in 31e885e.

@rillian rillian closed this Feb 27, 2020
UnionTech-Software added a commit to UnionTech-Software/theora that referenced this pull request Dec 23, 2024
@UnionTech-Software
Fix the runtime error: shift exponent -1 is negative in huffdec.c
1a1e481 
When calling the function th_decode_ceaderin through constructed data, it will cause the len value in the oc_fuff_tree_unpack function to be -1 when subsequent functions run, resulting in the problem of negative displacement. This modification is to avoid len being negative

huffdec.c:228:27: runtime error: shift exponent -1 is negative
    #0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
    xiph#1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
    xiph#2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
    xiph#3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
    xiph#4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
    xiph#5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
    xiph#6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
    xiph#7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
    xiph#8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    xiph#9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    xiph#10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)
@UnionTech-Software UnionTech-Software mentioned this pull request Dec 23, 2024
Closed
ePirat pushed a commit that referenced this pull request Mar 10, 2025
@UnionTech-Software
Fix the runtime error: shift exponent -1 is negative in huffdec.c
eecd1ad 
When calling the function th_decode_ceaderin through constructed data,
it will cause the len value in the oc_fuff_tree_unpack function to be
-1 when subsequent functions run, resulting in the problem of negative
displacement. This modification is to avoid len being negative

huffdec.c:228:27: runtime error: shift exponent -1 is negative
    #0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
    #1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
    #2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
    #3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
    #4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
    #5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
    #6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
    #7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
    #8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)

Addresses CVE-2024-56431.

Fixes github pull request #19.

Signed-off-by: Petter Reinholdtsen <pere@hungry.com>
ePirat pushed a commit that referenced this pull request Mar 10, 2025
Avoid negative bit shift operatoin in huffdec.c (CVE-2024-56431).
5665f86 
A crash was discovered using input fuzzying, in th_decode_ceaderin()
where the len value in the oc_fuff_tree_unpack() can end up as -1.
Added a check to ensure this do not happen.

Based on feedback from Timothy B. Terriberry.

The issue was discovered using gcc sanitazion, which reported the following:

huffdec.c:228:27: runtime error: shift exponent -1 is negative
    #0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
    #1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
    #2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
    #3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
    #4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
    #5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
    #6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
    #7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
    #8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)

Fixes github pull request #19.
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jhasse @rillian