[FFmpeg-devel] [PATCH] apedec: ensure blockstodecode is large enough
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Tue Apr 28 11:22:22 CEST 2015
On 28.04.2015 03:18, Michael Niedermayer wrote:
> On Mon, Apr 27, 2015 at 11:56:15PM +0200, Andreas Cadhalpun wrote:
>> s->decoded_buffer is allocated with a min_size of:
>> 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
>>
>> Then it is assigned to s->decoded[0], which is passed as out buffer to
>> decode_array_0000.
>>
>> In this function 64 elements of the out buffer are written
>> unconditionally and outside the array if blocksdecode is too small.
>>
>> This causes memory corruption, leading to segmentation faults or other crashes.
>>
>> Thus check that FFALIGN(blockstodecode, 8) is at least 32, i. e. the
>> decoded_buffer has at least 64 components.
>
> the stereo case would need a check against 64 i think
Yes.
> also if this is specifific to decode_array_0000(), then the others
> should not fail with a short array
OK.
> or decode_array_0000() could be made to just write less or error
> out
decode_array_0000 is void so error out would require more changes,
but just writing less seems like a better fix anyway. New patch attached.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apedec-prevent-out-of-array-writes-in-decode_array_0.patch
Type: text/x-diff
Size: 1729 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/99f35356/attachment.bin>
More information about the ffmpeg-devel
mailing list