[FFmpeg-devel] [RFC] SDP Generation

Michael Niedermayer michaelni
Tue Jul 17 19:33:47 CEST 2007


Hi

On Tue, Jul 17, 2007 at 05:42:09PM +0200, Luca Abeni wrote:
[...]
> > [...]
> >> static char *sdp_media_attributes(char *buff, int size, AVCodecContext *c, int payload_type)
> >> {
> >>     char *config = NULL;
> >>
> >>     switch (c->codec_id) {
> >>         case CODEC_ID_MPEG4:
> >>             if (c->flags & CODEC_FLAG_GLOBAL_HEADER) {
> >>                 config = av_malloc(10 + c->extradata_size * 2);
> >>                 if (config == NULL) {
> >>                     av_log(NULL, AV_LOG_ERROR, "Cannot allocate memory for the config info\n");
> > 
> > please check that 10 + c->extradata_size * 2 doesnt overflow
> 
> I think I did:
> - "; config=" is 9 characters
> - extradata is encoded in extradata_size * 2 characters
> - then there is the \0 at the end
> Am I missing something?

yes, lets assume extradata_size is INT_MAX
INT_MAX*2 + 10 is 8 or so, your extradate encoding overflows the buffer

i dont think theres anything which would stop a file with such large
extradata from being loaded if theres enough memory ...
sending that then with SDP could be exploited

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Opposition brings concord. Out of discord comes the fairest harmony.
-- Heraclitus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070717/2315b6ca/attachment.pgp>



More information about the ffmpeg-devel mailing list