[FFmpeg-devel] [PATCH] Use correct colorspace in Cinepak decoder.

u-bo1b at 0w.se u-bo1b at 0w.se
Tue Feb 19 09:01:30 CET 2013


On Tue, Feb 19, 2013 at 12:41:19AM +0100, Michael Niedermayer wrote:
> On Mon, Feb 18, 2013 at 06:00:33PM +0100, u-bo1b at 0w.se wrote:
> > The new code is also faster and more robust.

> this patch seems to break decoding of
> https://ffmpeg.org/trac/ffmpeg/raw-attachment/ticket/1303/1.avi

The vulnerability has been there in the decoder from the beginning,
it had no protection against writing outside the frame memory when any
of the coordinates were not a multiple of 4.

I am not familiar with memory allocation in ffmpeg but it looks
like the frame is allocated based on the dimensions of the video
stream, while the decoder used to set the checking boundaries outside
the dimensions:

----
    s->width = (avctx->width + 3) & ~3;
    s->height = (avctx->height + 3) & ~3;
----

Now it does this only for the y coordinate for which it (now) uses
avctx->height for the actual checking at decoding.

See the second patch "More correct and robust Cinepak decoder"
which refuses to decode strips with unsafe dimensions.

I do not see this as a regression but rather as a security problem (with
an already supplied fix). A better fix is welcome but this one is better
than none.

Regards,
Rl



More information about the ffmpeg-devel mailing list