[FFmpeg-devel] [libav-devel] [PATCH 5/6] Fixed segfaults on corruped smaker streams in the decoder.

Michael Niedermayer michaelni at gmx.at
Tue Sep 13 00:16:50 CEST 2011


On Tue, Sep 13, 2011 at 12:04:22AM +0200, Laurent Aimar wrote:
> On Mon, Sep 12, 2011 at 11:59:56PM +0200, Michael Niedermayer wrote:
> > On Mon, Sep 12, 2011 at 11:43:18PM +0200, Laurent Aimar wrote:
> > > On Mon, Sep 12, 2011 at 11:28:44PM +0200, Reimar Döffinger wrote:
> > > > On Sun, Sep 11, 2011 at 07:56:46PM +0200, Laurent Aimar wrote:
> > > > > @@ -653,6 +659,8 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
> > > > >      } else { //8-bit data
> > > > >          for(i = stereo; i >= 0; i--)
> > > > >              pred[i] = get_bits(&gb, 8);
> > > > > +        if (stereo + unp_size > data_size)
> > > > > +            return -1;
> > > > 
> > > > This can overflow.
> > > > if (unp_size < 0 || unp_size > data_size - stereo)
> > > > should probably be safe.
> > >  No it doesn't because of the surrounding code BUT I saw a bug
> > > in this patch (data_size is a pointer, a '*' is missing)
> > 
> > fixed
> > 
> > 
> > > 
> > >  It can also be made a bit simpler. I will propose a better patch
> > > later.
> > 
> > i guess you plan something like: ?
> Nearly, this condition is a tad too strict when bits is 1.
> I think it should be (unp_size & ~bits) + stereo > *data_size

i think it should be:
(unp_size & ~bits) + stereo*(bits+1) > *data_size


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110913/958f4b61/attachment.asc>


More information about the ffmpeg-devel mailing list