[FFmpeg-devel] [PATCH] Use correct colorspace in Cinepak decoder.

u-bo1b at 0w.se u-bo1b at 0w.se
Tue Feb 19 11:46:25 CET 2013

On Tue, Feb 19, 2013 at 09:17:47AM +0000, Carl Eugen Hoyos wrote:
> > > this patch seems to break decoding of
> > > https://ffmpeg.org/trac/ffmpeg/raw-attachment/ticket/1303/1.avi
> > 
> > The vulnerability has been there in the decoder from the 
> > beginning, it had no protection against writing outside the frame 
> > memory when any of the coordinates were not a multiple of 4.
> valgrind does not report any invalid memory access for 
> the sample above, so is there really any 
> writing "outside the frame memory"?

Possibly not for this particular sample with the particular memory
allocation? The out-of-frame access would happen at vector decoding
phase where the decoder always wrote to 16 different pixels - the frame
had to have place for all of them. See cinepak_decode_vectors().

I noticed this problem as laracroft-cinepak-partial.avi in fate test
samples caused segfaults in ffplay (this video has 187 scan lines).
Remarkably, mplayer with the same decoder did not segfault and played fine.
I guess its memory allocation was different.

After the patch the decoder still always writes to the 4 pixels in the
uppermost row of each block, thus reducing the vulnerability but not
eliminating it. The second patch fixes this by rejecting unsafe strips.


More information about the ffmpeg-devel mailing list