[FFmpeg-devel] Neither vorbis_parse_setup_hdr_codebooks nor ff_vorbis_len2vlc verify data

Michael Niedermayer michaelni
Wed Jul 8 02:26:50 CEST 2009

On Sun, Jul 05, 2009 at 10:21:01AM +0200, Reimar D?ffinger wrote:
> On Sun, Jul 05, 2009 at 10:18:02AM +0200, Reimar D?ffinger wrote:
> > Hello,
> > sample is ogv/smclock.ogv.2.164.ogv from issue 1240.
> > vorbis_parse_setup_hdr_codebooks can at least create values up to 33
> > (get_bits(gb, 5)+1)

am i missing something? get_bits(gb, 5)+1 should be 32 max not 33

> > in the bits array (I am unsure what is possible in
> > the ordered case, looks like even higher values are possible).

yes i think so too

> > ff_vorbis_len2vlc which these values are then passed to on the other
> > hand just assumes that the bits values are at most 32, otherwise it just
> > writes beyond the exit_at_level and onto the stack, overwriting the
> > return address.
> > Since there is no documentation for the function the question is which
> > is wrong? Should ff_vorbis_len2vlc have a check or should
> > vorbis_parse_setup_hdr_codebooks?

i would guess that vorbis_parse_setup_hdr_codebooks() is the one that needs
a check as one side of the ordered branch can reach higher values, this
dosent look too right but its just my gut feeling.
Either way this one should be fixed, better at the wrong place than nowhere

Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090708/54d986ae/attachment.pgp>

More information about the ffmpeg-devel mailing list