[FFmpeg-devel] [PATCH] ac3_probe input buffer overrun

Michael Niedermayer michaelni
Sat Sep 1 03:17:07 CEST 2007


Hi

On Sat, Sep 01, 2007 at 01:31:59AM +0200, Michael Niedermayer wrote:
> Hi
> 
> On Tue, Aug 28, 2007 at 09:38:47AM -0000, Wolfram Gloger wrote:
> > Hi,
> > 
> > I found this with valgrind.
> > 
> > Regards,
> > Wolfram.
> 
> > --- trunk/libavformat/raw.c	2007-08-11 17:29:37.000000000 +0200
> > +++ ffmpeg-test/libavformat/raw.c	2007-08-28 11:29:48.000000000 +0200
> > @@ -416,7 +416,7 @@
> >      for(; buf < end; buf++) {
> >          buf2 = buf;
> >  
> > -        for(frames = 0; buf2 < end; frames++) {
> > +        for(frames = 0; buf2+7 <= end; frames++) { 
> >              if(ff_ac3_parse_header(buf2, &hdr) < 0)
> >                  break;
> >              buf2 += hdr.frame_size;
> 
> ac3 maintainer justin, ping!

and note:
#define AVPROBE_PADDING_SIZE 32             ///< extra allocated bytes at the end of the probe buffer

so this patch is likely wrong but i dunno how much ff_ac3_parse_header
can read or ...

note2, valgrind is buggy and sometimes claims uninitalized memory would be
used while it actually isnt!

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070901/d7d6b59f/attachment.pgp>



More information about the ffmpeg-devel mailing list