[FFmpeg-devel] patch for mpegaudiodec.c to prevent buffer read-access overflow

Michael Niedermayer michaelni
Sat Mar 14 04:47:58 CET 2009 

fmOn Thu, Mar 12, 2009 at 12:32:50PM -0500, Francois Oligny-Lemieux wrote:
> On Wed, Mar 11, 2009 at 8:30 PM, Michael Niedermayer <michaelni at gmx.at>wrote:
> 
> > On Wed, Mar 11, 2009 at 01:35:31PM -0500, Francois Oligny-Lemieux wrote:
> > > Hi,
> > > I identified a place in mpegaudiodec.c where a crash could (and in my
> > case
> > > was) happening from time to time. The crash will happen when the audio
> > > header is corrupted. The original code was doing buf++ while searching
> > for
> > > the header without any consideration for the buffer end causing an
> > overflow
> > > and eventually a read-access violation. Also after a successful resync,
> > the
> > > code was not adjusting the buffer_size.
> > >
> > > I attached a patch containing the fix I'm using for this problem, but
> > feel
> > > free to make your own changes to it.
> > >
> > > Francois
> >
> > > Index: mpegaudiodec.c
> > > ===================================================================
> > > --- mpegaudiodec.c    (revision 17942)
> > > +++ mpegaudiodec.c    (working copy)
> > > @@ -2264,6 +2264,7 @@
> > >      uint32_t header;
> > >      int out_size;
> > >      OUT_INT *out_samples = data;
> > > +    uint8_t * buf_end = buf + buf_size;
> > >
> > >  retry:
> > >      if(buf_size < HEADER_SIZE)
> > > @@ -2274,8 +2275,12 @@
> > >          buf++;
> > >  //        buf_size--;
> > >          av_log(avctx, AV_LOG_ERROR, "Header missing skipping one
> > byte.\n");
> > > +        if ( buf + 3 > buf_end ){
> > > +            return -1; // will overflow
> > > +        }
> > >          goto retry;
> > >      }
> > > +    buf_size = buf_end - buf;
> >
> > considering that there is a check after retry and you dont fix the existing
> > check but rather add a second messy check
> > rejected
> 
> 
> I see what you mean... then I suggest just restoring the buf_size--. I don't
> know why it was left commented-out in the first place?

ok but this needs a bit of testing unless someone remembers why it was
commented out.

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090314/967a7ae9/attachment.pgp>

More information about the ffmpeg-devel mailing list