[FFmpeg-devel] [PATCH][RFC] nsv seeking

Michael Niedermayer michaelni
Wed Apr 22 21:21:54 CEST 2009


On Wed, Apr 22, 2009 at 10:07:12PM +0530, Jai Menon wrote:
> On Wed, Apr 22, 2009 at 10:03 PM, Jai Menon <jmenon86 at gmail.com> wrote:
> > On Wed, Apr 22, 2009 at 7:03 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> >> On Wed, Apr 22, 2009 at 12:27:20PM +0530, Jai Menon wrote:
> >>> On Wed, Apr 22, 2009 at 5:10 AM, Michael Niedermayer <michaelni at gmx.at> wrote:
> >>> > On Tue, Apr 21, 2009 at 09:43:16PM +0530, Jai Menon wrote:
> >>> >> On Mon, Apr 20, 2009 at 11:48 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> >>> >> > On Mon, Apr 20, 2009 at 08:03:40PM +0530, Jai Menon wrote:
> >>> >> >> On Mon, Apr 20, 2009 at 6:24 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> >>> >> >> > On Sun, Apr 19, 2009 at 04:46:48PM +0530, Jai Menon wrote:
> >>> >> >> >> On 4/18/09, Fran?ois Revol <revol at free.fr> wrote:
> >>> >> >> > [...]
> >>> >> >> >> @@ -348,12 +349,22 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
> >>> >> >> >> ? ? ?PRINT(("NSV got infos; filepos %"PRId64"\n", url_ftell(pb)));
> >>> >> >> >>
> >>> >> >> >> ? ? ?if (table_entries_used > 0) {
> >>> >> >> >> + ? ? ? ?int i;
> >>> >> >> >> ? ? ? ? ?nsv->index_entries = table_entries_used;
> >>> >> >> >> ? ? ? ? ?if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
> >>> >> >> >> ? ? ? ? ? ? ?return -1;
> >> [...]
> >>> >> >> >> + ? ? ? ?nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
> >>> >> >> >> +
> >>> >> >> >> + ? ? ? ?for(i=0;i<table_entries_used;i++)
> >>> >> >> >> + ? ? ? ? ? ?nsv->nsvs_file_offset[i] = get_le32(pb) + size;
> >>
> >>
> >>
> >>> >> >> >
> >>> >> >> > exploitable
> >>> >> >>
> >>> >> >> I can't think of any feasible attack vector here. Could you be a little verbose.
> >>> >> >
> >>> >> > table_entries_used * 4 overflows
> >>> >>
> >>> >> So you want the file offset table entries to be 64 bit?
> >>> >
> >>> > no i want you to make sure you allocate a table that is capable to
> >>> > hold the number of entries you write into it
> >>>
> >>> Sorry, I don't quite understand. There are table_entries_used no.of
> >>> entries in the file offset table. And I'm writing exactly those amount
> >>> to the buffer.
> >>
> >> example:
> >> table_entries_used= 0x4FFFFFFF
> >>
> >> table_entries_used * sizeof(uint32_t) = 0x4FFFFFFF * 4 = 0x3FFFFFFC
> >>
> >> nsv->nsvs_file_offset= av_malloc(0x3FFFFFFC)
> >>
> >> for(i=0; i<0x4FFFFFFF; i++)
> >> ? ?write 4 bytes to nsv->nsvs_file_offset[i]
> >
> > Thanks for the example. Is attached patch better?
> 
> Forgot to roll last change in.
> Patch attached.

probably ok assuming it works

[...]


-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090422/c4da6f6c/attachment.pgp>



More information about the ffmpeg-devel mailing list