[FFmpeg-devel] [PATCH] IFF: Add error checking to byterun1 decoder

Sebastian Vater cdgs.basty
Wed May 26 23:12:51 CEST 2010


Ronald S. Bultje a ?crit :
> Hi,
>
> On Wed, May 26, 2010 at 4:29 PM, Sebastian Vater
> <cdgs.basty at googlemail.com> wrote:
>   
>> Ronald S. Bultje a ?crit :
>>     
>>> Hi,
>>>
>>> [...]
>>> Imagine that buf_size=0, so buf==buf_end directly. The topmost if will
>>> catch that. Now imagine that buf is exactly 1 byte + length long.
>>> After one loop iteration, length won't be checked (because that's only
>>> done on entry into the loop, and not before every iteration) and const
>>> int8_t value = *buf++ will overread beyond the buffer bounds.
>>>
>>>       
>> Ahh, but this isn't actually a problem, because AVPacket->data has
>> FF_INPUT_BUFFER_PADDING_SIZE.
>> So it will still read in valid memory area...and regardless of what the
>> contents of that byte is, the if's will
>> catch that, since they all check buf >= buf_end. ;-)
>>
>> I have adressed that issue from the very beginning by taking a look at
>> the allocation routine for AVPacket->data. ;-)
>>
>> But maybe I could add a comment about this?
>>     
>
> I'm not terribly comfortable with it, but if others think it's OK then
> I won't object.
>   

Reindent patch added now. I will fix the issue mentioned upward if
others complain.
But why they should? I mean, after all, why there's
FF_INPUT_BUFFER_PADDING_SIZE if not to take advantage of it (make code
simplier and some times even faster)? ;-)

-- 

Best regards,
                   :-) Basty/CDGS (-:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: iff-byterun1-error-indent.patch
Type: text/x-patch
Size: 1288 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100526/5e01ed6a/attachment.bin>



More information about the ffmpeg-devel mailing list