[FFmpeg-devel] FLAC crash on invalid data
Michael Niedermayer
michaelni
Thu Oct 4 13:54:57 CEST 2007
On Thu, Oct 04, 2007 at 06:36:08AM -0400, Justin Ruggles wrote:
> Uoti Urpala wrote:
>> metadata_parse() does
>> metadata_size = get_bits_long(&s->gb, 24);
>> then
>> for (i=0; i<metadata_size; i++)
>> skip_bits(&s->gb, 8);
>> with no sanity checks against read buffer size.
>
> Patch attached. Simpler than the last patch I submitted to fix the same
> issue.
[...]
> Index: libavcodec/flac.c
> ===================================================================
> --- libavcodec/flac.c (revision 10650)
> +++ libavcodec/flac.c (working copy)
> @@ -190,7 +190,12 @@
> av_log(s->avctx, AV_LOG_DEBUG,
> " metadata block: flag = %d, type = %d, size = %d\n",
> metadata_last, metadata_type, metadata_size);
> - if (metadata_size) {
> + if (metadata_size > 0) {
nonsense cosmetic change metadata_size cannot be <0
> + int bits_left = s->gb.size_in_bits - get_bits_count(&s->gb);
> + if(bits_left < metadata_size*8) {
> + skip_bits_long(&s->gb, bits_left);
> + break;
> + }
dont silently ignore errors
the whole just needs a
if(invalid data)
return appropriate error (unless that throws things into an inconsistant
state but that doesnt seem to be the case here, also you could print an
error message ...)
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071004/c19f5610/attachment.pgp>
More information about the ffmpeg-devel
mailing list