[FFmpeg-devel] [PATCH 1/4] Fix invalid pointer deferences when parsing index in flv demuxer.
Michael Niedermayer
michaelni at gmx.at
Sat Sep 24 17:36:51 CEST 2011
Hi fenrir
On Sat, Sep 24, 2011 at 04:16:38PM +0200, fenrir at elivagar.org wrote:
> From: Laurent Aimar <fenrir at videolan.org>
>
> ---
> libavformat/flvdec.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> index 569d734..e32829d 100644
> --- a/libavformat/flvdec.c
> +++ b/libavformat/flvdec.c
> @@ -196,8 +196,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
> }
> }
>
> - if (timeslen == fileposlen)
> - for(i = 0; i < arraylen; i++)
> + if (!ret && timeslen == fileposlen)
> + for(i = 0; i < fileposlen; i++)
> av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
This bug is libav.org specific
And your fix is wrong, theres an integer overflow further up that causes
the allocated array size to be too small.
The writing though is stoped by the end of object, so only the reading
causes the crash.
In ffmpeg.org this is impossible.
in libav.org an attacker could easily use this to overwrite memory and
execute arbitrary code. (even with your patch)
I would suggest you base your patches and tests on ffmpeg.org code, as
many things have already been fixed and we have many more features,
codecs, demuxers and filters that would benefit from testing.
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Democracy is the form of government in which you can choose your dictator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110924/d29e7adf/attachment.asc>
More information about the ffmpeg-devel
mailing list