[FFmpeg-devel] [PATCH 5/7] Check for out of bound reads in the flic decoder.

Michael Niedermayer michaelni at gmx.at
Wed Sep 28 02:43:22 CEST 2011 

On Wed, Sep 28, 2011 at 01:10:53AM +0200, Laurent Aimar wrote:
> On Wed, Sep 28, 2011 at 12:48:41AM +0200, Michael Niedermayer wrote:
> > On Tue, Sep 27, 2011 at 11:43:55PM +0200, fenrir at elivagar.org wrote:
> > > From: Laurent Aimar <fenrir at videolan.org>
> > 
> > 
> > [...]
> > > @@ -218,6 +222,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
> > >                  if (color_changes == 0)
> > >                      color_changes = 256;
> > >  
> > > +                if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
> > > +                    break;
> > > +
> > 
> > the addition as well as others can overflow, not really a big issue,
> > as its near impossible to happen in practice so this could probably
> > be applied as is if you prefer
>  No, I prefer to get it right, it's easier to maintain I think.
> 
>  Mmh, it can only overflow if stream_ptr is above or equal to
> INT_MAX - (3*256 + something_smaller_than_FF_INPUT_BUFFER_PADDING_SIZE) I
> think. The other additions are all smaller than that.
> 
>  Also, there was an invalid test that I removed.
> 
> Patch attached.
> 
> -- 
> fenrir
> 

>  flicvideo.c |   44 +++++++++++++++++++++++++++++---------------
>  1 file changed, 29 insertions(+), 15 deletions(-)
> 50a6eba8d27b7e6a7ed52a77bd47924c674115c0  0001-Check-for-out-of-bound-reads-in-the-flic-decoder.patch
> From bca36eede252a4b9a37b224b97cc009d59f9b880 Mon Sep 17 00:00:00 2001
> From: Laurent Aimar <fenrir at videolan.org>
> Date: Tue, 27 Sep 2011 22:05:15 +0200
> Subject: [PATCH] Check for out of bound reads in the flic decoder.

applied, thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Into a blind darkness they enter who follow after the Ignorance,
they as if into a greater darkness enter who devote themselves
to the Knowledge alone. -- Isha Upanishad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110928/3cd4c6b7/attachment.asc>

More information about the ffmpeg-devel mailing list