[FFmpeg-devel] [PATCH] cook: avoid out of global array read.

Michael Niedermayer michaelni at gmx.at
Tue Feb 28 21:09:05 CET 2012


On Tue, Feb 28, 2012 at 08:41:43PM +0100, Reimar Döffinger wrote:
> On Tue, Feb 28, 2012 at 08:10:21PM +0100, Michael Niedermayer wrote:
> > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> > Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> > ---
> >  libavcodec/cook.c |   41 +++++++++++++++++++++++++++++------------
> >  1 files changed, 29 insertions(+), 12 deletions(-)
> > 
> > diff --git a/libavcodec/cook.c b/libavcodec/cook.c
> > index 08b51d8..920f527 100644
> > --- a/libavcodec/cook.c
> > +++ b/libavcodec/cook.c
> > @@ -366,7 +366,7 @@ static void decode_gain_info(GetBitContext *gb, int *gaininfo)
> >   * @param q                 pointer to the COOKContext
> >   * @param quant_index_table pointer to the array
> >   */
> > -static void decode_envelope(COOKContext *q, COOKSubpacket *p,
> > +static int decode_envelope(COOKContext *q, COOKSubpacket *p,
> >                              int *quant_index_table)
> >  {
> >      int i, j, vlc_index;
> > @@ -388,7 +388,14 @@ static void decode_envelope(COOKContext *q, COOKSubpacket *p,
> >          j = get_vlc2(&q->gb, q->envelope_quant_index[vlc_index - 1].table,
> >                       q->envelope_quant_index[vlc_index - 1].bits, 2);
> >          quant_index_table[i] = quant_index_table[i - 1] + j - 12; // differential encoding
> > +
> > +        if (quant_index_table[i] < -63 || quant_index_table[i] > 64) {
> > +            av_log_ask_for_sample(NULL, "quant_index_table value out of bounds\n");
> > +            return AVERROR_PATCHWELCOME;
> 
> Is there a reason to believe this indicates an unimplemented feature
> and not a broken file?

i have no way to know if such quant_index_table values are allowed
or not. Thats also why i sent a patch, i hope someone like ben could
comment


> If yes, that should be documented.


> If not, I think this should return AVERROR_INVALIDDATA.

Ive just used what other checks in the file like on subband number
return. Changing it for one case would make that inconsistent

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120228/6310fb85/attachment.asc>


More information about the ffmpeg-devel mailing list