[Ffmpeg-devel] Memory corruption playing invalid h264 file

Michael Niedermayer michaelni
Mon May 1 02:36:09 CEST 2006


On Mon, May 01, 2006 at 02:08:24AM +0300, Uoti Urpala wrote:
> I got memory corruption leading to a crash when playing a corrupted h264
> file. It seems the reason was mpegvideo.c ff_find_unused_picture()
> returning -1 when it fails to find an unused one (after assert(0), but
> asserts are disabled). Code calling ff_find_unused_picture() does not
> check the return value and proceeds to write to s->picture[-1].

running out of unused pics is a internal error IMHO, it shouldnt happen
so the assert(0) there is correct

so we need to do at least one of the following:
1 fix the h264 decoder so it doesnt try to alloc too many pics (not even
  for broken bitstreams ...)
2 check the return type everywhere and do something sane, in that case
  we might choose to drop the assert(0) of course
3 ensure a immedeate and clean failure (abort() is better then a exploit)

the problem with 2. is that failing to alloc a pic will likely lead to
many further problems when we try to access it, and it doesnt help 
as after adding all the checks everywhere we still have a problem as
we wont have a pic into which we can decode ...
so i doubt this is the correct way to go but patches are welcome of course ...


if noone has an better suggestion ill implement 3. (even if we fix the
h.264 decoder this is still a good idea for safety IMHO)



In the past you could go to a library and read, borrow or copy any book
Today you'd get arrested for mere telling someone where the library is

More information about the ffmpeg-devel mailing list