[FFmpeg-devel] [PATCH] apedec: ensure blockstodecode is large enough

Michael Niedermayer michaelni at gmx.at
Tue Apr 28 12:52:43 CEST 2015 

On Tue, Apr 28, 2015 at 11:22:22AM +0200, Andreas Cadhalpun wrote:
> On 28.04.2015 03:18, Michael Niedermayer wrote:
> > On Mon, Apr 27, 2015 at 11:56:15PM +0200, Andreas Cadhalpun wrote:
> >> s->decoded_buffer is allocated with a min_size of:
> >>     2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
> >>
> >> Then it is assigned to s->decoded[0], which is passed as out buffer to
> >> decode_array_0000.
> >>
> >> In this function 64 elements of the out buffer are written
> >> unconditionally and outside the array if blocksdecode is too small.
> >>
> >> This causes memory corruption, leading to segmentation faults or other crashes.
> >>
> >> Thus check that FFALIGN(blockstodecode, 8) is at least 32, i. e. the
> >> decoded_buffer has at least 64 components.
> > 
> > the stereo case would need a check against 64 i think
> 
> Yes.
> 
> > also if this is specifific to decode_array_0000(), then the others
> > should not fail with a short array
> 
> OK.
> 
> > or decode_array_0000() could be made to just write less or error
> > out
> 
> decode_array_0000 is void so error out would require more changes,
> but just writing less seems like a better fix anyway. New patch attached.
> 
> Best regards,
> Andreas
> 

>  apedec.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 4f13e8d3f04b128cb0e8b4c0f703ecc56eaedd46  0001-apedec-prevent-out-of-array-writes-in-decode_array_0.patch
> From 969592cc6c04571afa0d8b32be31caf78ca52517 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> Date: Tue, 28 Apr 2015 11:13:43 +0200
> Subject: [PATCH] apedec: prevent out of array writes in decode_array_0000
> 
> s->decoded_buffer is allocated with a min_size of:
>     2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
> 
> Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8)
> to s->decoded[1]) and passed as out buffer to decode_array_0000.
> 
> In this function 64 elements of the out buffer are written
> unconditionally and outside the array if blockstodecode is too small.
> 
> This causes memory corruption, leading to segmentation faults or other
> crashes.
> 
> Thus change decode_array_0000 to write at most blockstodecode elements
> of the out buffer.

applied

thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/d39d4484/attachment.asc>

More information about the ffmpeg-devel mailing list