[FFmpeg-devel] [PATCH] indeo3: add out-of-buffer write check
Laurent Aimar
fenrir at elivagar.org
Mon May 23 17:40:11 CEST 2011
Hi,
> Prevent out-of-buffer writes. In particular fix smclocki32.avi.1.1
> crash, fix trac issue #114, roundup issue #1482.
> ---
> libavcodec/indeo3.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
> index b74fcf7..8e55fbe 100644
> --- a/libavcodec/indeo3.c
> +++ b/libavcodec/indeo3.c
> @@ -213,6 +213,7 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
> int *width_tbl, width_tbl_arr[10];
> const signed char *ref_vectors;
> uint8_t *cur_frm_pos, *ref_frm_pos, *cp, *cp2;
> + uint8_t *cur_end = cur + width*height + width;
> uint32_t *cur_lp, *ref_lp;
> const uint32_t *correction_lp[2], *correctionloworder_lp[2], *correctionhighorder_lp[2];
> uint8_t *correction_type_sp[2];
> @@ -359,6 +360,8 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
> k = *buf1++;
> cur_lp = ((uint32_t *)cur_frm_pos) + width_tbl[lp2];
> ref_lp = ((uint32_t *)ref_frm_pos) + width_tbl[lp2];
> + if ((uint8_t *)cur_lp >= cur_end-3)
> + break;
If the overflow can happen, then IMO this check is not robust enough, you can
have an integer overflow when computing cur_lp address.
Also while at it, it seems that width_tbl can be < 0, and I am not sure it is
correctly checked.
Regards,
--
fenrir
More information about the ffmpeg-devel
mailing list