[FFmpeg-devel] [PATCH] asfdec fixes
Reimar Döffinger
Reimar.Doeffinger
Sat Dec 11 18:40:51 CET 2010
On Sat, Dec 11, 2010 at 05:16:13PM +0100, Michael Niedermayer wrote:
> On Sat, Dec 11, 2010 at 02:48:09PM +0100, Reimar D?ffinger wrote:
> [...]
> > @@ -977,7 +980,8 @@
> > av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span (%d %d %d)\n", asf_st->pkt.size, asf_st->ds_packet_size, asf_st->ds_span);
> > }else{
> > /* packet descrambling */
> > - uint8_t *newdata = av_malloc(asf_st->pkt.size);
> > + uint8_t *newdata = av_malloc(asf_st->pkt.size + FF_INPUT_BUFFER_PADDING_SIZE);
> > + memset(newdata + asf_st->pkt.size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
> > if (newdata) {
> > int offset = 0;
> > while (offset < asf_st->pkt.size) {
>
> this is missing a malloc failure check which could lead to you are writing zeros
> at a user specified place
Not so much missing as that I misplaced the line.
Though it is a bit silly that the code silently returns the scrambled
packet if it runs out of memory.
I really feel like I've been stumbling around in the dirties parts of FFmpeg today.
Anyway, update that part so it at least shouldn't be exploitable.
Index: ffmpeg/libavformat/asfdec.c
===================================================================
--- ffmpeg/libavformat/asfdec.c (revision 25928)
+++ ffmpeg/libavformat/asfdec.c (working copy)
@@ -977,9 +980,10 @@
av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span (%d %d %d)\n", asf_st->pkt.size, asf_st->ds_packet_size, asf_st->ds_span);
}else{
/* packet descrambling */
- uint8_t *newdata = av_malloc(asf_st->pkt.size);
+ uint8_t *newdata = av_malloc(asf_st->pkt.size + FF_INPUT_BUFFER_PADDING_SIZE);
if (newdata) {
int offset = 0;
+ memset(newdata + asf_st->pkt.size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
while (offset < asf_st->pkt.size) {
int off = offset / asf_st->ds_chunk_size;
int row = off / asf_st->ds_span;
More information about the ffmpeg-devel
mailing list