[FFmpeg-devel] [PATCH 1/4] Fix invalid pointer deferences when parsing index in flv demuxer.
Laurent Aimar
fenrir at elivagar.org
Sat Sep 24 18:45:09 CEST 2011
On Sat, Sep 24, 2011 at 06:43:22PM +0200, Laurent Aimar wrote:
> On Sat, Sep 24, 2011 at 06:04:48PM +0200, Laurent Aimar wrote:
> > On Sat, Sep 24, 2011 at 05:36:51PM +0200, Michael Niedermayer wrote:
> > > On Sat, Sep 24, 2011 at 04:16:38PM +0200, fenrir at elivagar.org wrote:
> > > > From: Laurent Aimar <fenrir at videolan.org>
> > > >
> > > > ---
> > > > libavformat/flvdec.c | 4 ++--
> > > > 1 files changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> > > > index 569d734..e32829d 100644
> > > > --- a/libavformat/flvdec.c
> > > > +++ b/libavformat/flvdec.c
> > > > @@ -196,8 +196,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
> > > > }
> > > > }
> > > >
> > > > - if (timeslen == fileposlen)
> > > > - for(i = 0; i < arraylen; i++)
> > > > + if (!ret && timeslen == fileposlen)
> > > > + for(i = 0; i < fileposlen; i++)
> > > > av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
> > >
> > > This bug is libav.org specific
> > > And your fix is wrong, theres an integer overflow further up that causes
> > > the allocated array size to be too small.
> > It might be a good think to add an av_calloc() that would take care
> > of the overflow check, no? It seems it's a common enough pattern.
>
> I have attached a patch adding av_calloc().
I have used UINT_MAX as the upper bound (as it match what a lot of code
check against), but I tend to think that it would be safer to use INT_MAX.
--
fenrir
More information about the ffmpeg-devel
mailing list