[FFmpeg-devel] [PATCH] RTSP-MS 14/15: ASF packet parsing

Ronald S. Bultje rsbultje
Mon Jul 20 23:42:32 CEST 2009


Hi,

On Mon, Jul 20, 2009 at 5:25 PM, Michael Niedermayer<michaelni at gmx.at> wrote:
> this code looks like it will segfault with the right input
>
[... code follows below ...]
>
> On Mon, Jun 29, 2009 at 03:21:11PM -0400, Ronald S. Bultje wrote:
>> +static void
>> +rtp_asf_fix_header(uint8_t *buf, int len)
>> +{
>> + ? ?uint8_t *p = buf, *end = buf + len;
>> +
>> + ? ?if (len < sizeof(ff_asf_guid) * 2 + 22 ||
>> + ? ? ? ?memcmp(p, ff_asf_header, sizeof(ff_asf_guid))) {
>> + ? ? ? ?return;
>> + ? ?}

If we get here, p has at least 2xGUID+22 bytes available, and starts
with the ASF header.

>> + ? ?p += sizeof(ff_asf_guid) + 14;

So now we have 1xGUID+8 bytes available.

>> + ? ?do {
[... loop code follows below ...]
>> + ? ?} while (end - p >= sizeof(ff_asf_guid) + 8);

And this checks for the same condition, so within the loop, I always
have 1xGUID+8bytes available.

Loop code:

>> +        uint64_t len = AV_RL64(p + sizeof(ff_asf_guid));
>> +        if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) {
>> +            p += len;
>> +            continue;
>> +        }

Here we read exactly 1GUID + 8 bytes, and if we fail, then we re-do
the same check on the updated p. Should be OK.

If the condition passes:

>> +        /* skip most of the file header, to min_pktsize */
>> +        p += 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;

Updates p, but doesn't access it. If we did, we might be reading
1xGUID+52 outside the checked area, however...

>> +        if (p + 8 <= end && AV_RL32(p) == AV_RL32(p + 4)) {
>> +            /* and set that to zero */
>> +            AV_WL32(p, 0);
>> +        }
>> +        break;

Here we re-check p to ensure we have enough data available before
accessing it again.

Should be safe, no? I know, security-newbie here...

Ronald



More information about the ffmpeg-devel mailing list