[FFmpeg-devel] get_bits overrun checking from Google Chrome patches

Robert Swain robert.swain
Tue Sep 8 02:29:27 CEST 2009


Hello,

It seems there's an issue with some code in the AAC decoder where
parsing a file can cause overrunning of the end of the file by calling
get_bits() when there are not enough bits left to get.

Google have made this patch to add some overrun checking to get_bits():

http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/ugly/17_get_bits_overrun.patch

To quote their comments:

+    /* Ugly, but clients of this bit reader do not seem to check for enough
+     * data before calling. So we'll return 0's on overrun rather than crashing
+     * with random read faults.
+     */

An example of the application of this is to set buffer_enforcing after
calling init_get_bits() and then check buffer_exhausted after calling
get_bits() and erroring out appropriately.

The case in the AAC decoder is:

while ((elem_type = get_bits(&gb, 3)) != TYPE_END) {
...

I'm actually a little surprised we didn't spot and remedy this
earlier. Any suggestions for any cleaner solutions than Google's
proposition?

Best regards,
Rob



More information about the ffmpeg-devel mailing list