[FFmpeg-devel] [PATCH] asfdec fixes

Michael Niedermayer michaelni
Sat Dec 11 20:34:05 CET 2010


On Sat, Dec 11, 2010 at 06:40:51PM +0100, Reimar D?ffinger wrote:
> On Sat, Dec 11, 2010 at 05:16:13PM +0100, Michael Niedermayer wrote:
> > On Sat, Dec 11, 2010 at 02:48:09PM +0100, Reimar D?ffinger wrote:
> > [...]
> > > @@ -977,7 +980,8 @@
> > >                      av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span (%d %d %d)\n", asf_st->pkt.size, asf_st->ds_packet_size, asf_st->ds_span);
> > >                }else{
> > >                  /* packet descrambling */
> > > -                uint8_t *newdata = av_malloc(asf_st->pkt.size);
> > > +                uint8_t *newdata = av_malloc(asf_st->pkt.size + FF_INPUT_BUFFER_PADDING_SIZE);
> > > +                memset(newdata + asf_st->pkt.size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
> > >                  if (newdata) {
> > >                      int offset = 0;
> > >                      while (offset < asf_st->pkt.size) {
> > 
> > this is missing a malloc failure check which could lead to you are writing zeros
> > at a user specified place
> 
> Not so much missing as that I misplaced the line.
> Though it is a bit silly that the code silently returns the scrambled
> packet if it runs out of memory.

true


> I really feel like I've been stumbling around in the dirties parts of FFmpeg today.

the asf demuxer is a dirty & complex beast, to a part because asf is a
dirty mess.


> Anyway, update that part so it at least shouldn't be exploitable.
> Index: ffmpeg/libavformat/asfdec.c
> ===================================================================
> --- ffmpeg/libavformat/asfdec.c (revision 25928)
> +++ ffmpeg/libavformat/asfdec.c (working copy)

lgtm

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The worst form of inequality is to try to make unequal things equal.
-- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101211/56dfd5c1/attachment.pgp>



More information about the ffmpeg-devel mailing list