[FFmpeg-devel] [PATCH 1/4] Fix invalid pointer deferences when parsing index in flv demuxer.

Michael Niedermayer michaelni at gmx.at
Sun Sep 25 00:55:57 CEST 2011 

On Sat, Sep 24, 2011 at 09:39:44PM +0200, Laurent Aimar wrote:
> On Sat, Sep 24, 2011 at 06:57:26PM +0200, Michael Niedermayer wrote:
> > On Sat, Sep 24, 2011 at 06:45:09PM +0200, Laurent Aimar wrote:
> > > On Sat, Sep 24, 2011 at 06:43:22PM +0200, Laurent Aimar wrote:
> > > > On Sat, Sep 24, 2011 at 06:04:48PM +0200, Laurent Aimar wrote:
> > > > > On Sat, Sep 24, 2011 at 05:36:51PM +0200, Michael Niedermayer wrote:
> > > > > > On Sat, Sep 24, 2011 at 04:16:38PM +0200, fenrir at elivagar.org wrote:
> > > > > > > From: Laurent Aimar <fenrir at videolan.org>
> > > > > > > 
> > > > > > > ---
> > > > > > >  libavformat/flvdec.c |    4 ++--
> > > > > > >  1 files changed, 2 insertions(+), 2 deletions(-)
> > > > > > > 
> > > > > > > diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> > > > > > > index 569d734..e32829d 100644
> > > > > > > --- a/libavformat/flvdec.c
> > > > > > > +++ b/libavformat/flvdec.c
> > > > > > > @@ -196,8 +196,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
> > > > > > >          }
> > > > > > >      }
> > > > > > >  
> > > > > > > -    if (timeslen == fileposlen)
> > > > > > > -         for(i = 0; i < arraylen; i++)
> > > > > > > +    if (!ret && timeslen == fileposlen)
> > > > > > > +         for(i = 0; i < fileposlen; i++)
> > > > > > >               av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
> > > > > > 
> > > > > > This bug is libav.org specific
> > > > > > And your fix is wrong, theres an integer overflow further up that causes
> > > > > > the allocated array size to be too small.
> > > > >  It might be a good think to add an av_calloc() that would take care
> > > > > of the overflow check, no? It seems it's a common enough pattern.
> > > > 
> > > > I have attached a patch adding av_calloc().
> > >  I have used UINT_MAX as the upper bound (as it match what a lot of code
> > > check against), but I tend to think that it would be safer to use INT_MAX.
> > 
> > yes that was exactly my thought too when i read UINT_MAX ...
> A version with INT_MAX instead.
> 
> -- 
> fenrir

>  mem.c |    7 +++++++
>  mem.h |   12 ++++++++++++
>  2 files changed, 19 insertions(+)
> 5c9b46ff6dc8d93d0964d5d526a975849551586f  0001-Add-av_calloc-helper.patch
> From e332ad1ef453ef3641b72e30949b324828f93134 Mon Sep 17 00:00:00 2001
> From: Laurent Aimar <fenrir at videolan.org>
> Date: Sat, 24 Sep 2011 18:39:13 +0200
> Subject: [PATCH] Add av_calloc() helper.

applied, thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110925/3aebb531/attachment.asc>

More information about the ffmpeg-devel mailing list