[FFmpeg-devel] [PATCH][RFC] nsv seeking
Michael Niedermayer
michaelni
Wed Apr 22 01:40:33 CEST 2009
On Tue, Apr 21, 2009 at 09:43:16PM +0530, Jai Menon wrote:
> On Mon, Apr 20, 2009 at 11:48 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> > On Mon, Apr 20, 2009 at 08:03:40PM +0530, Jai Menon wrote:
> >> On Mon, Apr 20, 2009 at 6:24 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> >> > On Sun, Apr 19, 2009 at 04:46:48PM +0530, Jai Menon wrote:
> >> >> On 4/18/09, Fran?ois Revol <revol at free.fr> wrote:
> >> > [...]
> >> >> @@ -348,12 +349,22 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
> >> >> ? ? ?PRINT(("NSV got infos; filepos %"PRId64"\n", url_ftell(pb)));
> >> >>
> >> >> ? ? ?if (table_entries_used > 0) {
> >> >> + ? ? ? ?int i;
> >> >> ? ? ? ? ?nsv->index_entries = table_entries_used;
> >> >> ? ? ? ? ?if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
> >> >> ? ? ? ? ? ? ?return -1;
> >> >> - ? ? ? ?nsv->nsvs_file_offset = av_malloc(table_entries * sizeof(uint32_t));
> >> >> -#warning "FIXME: Byteswap buffer as needed"
> >> >> - ? ? ? ?get_buffer(pb, (unsigned char *)nsv->nsvs_file_offset, table_entries * sizeof(uint32_t));
> >> >> + ? ? ? ?nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
> >> >> +
> >> >> + ? ? ? ?for(i=0;i<table_entries_used;i++)
> >> >> + ? ? ? ? ? ?nsv->nsvs_file_offset[i] = get_le32(pb) + size;
> >> >
> >> > exploitable
> >>
> >> I can't think of any feasible attack vector here. Could you be a little verbose.
> >
> > table_entries_used * 4 overflows
>
> So you want the file offset table entries to be 64 bit?
no i want you to make sure you allocate a table that is capable to
hold the number of entries you write into it
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Let us carefully observe those good qualities wherein our enemies excel us
and endeavor to excel them, by avoiding what is faulty, and imitating what
is excellent in them. -- Plutarch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090422/59455579/attachment.pgp>
More information about the ffmpeg-devel
mailing list