[FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header
Michael Niedermayer
michaelni at gmx.at
Tue Apr 28 22:21:20 CEST 2015
On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote:
> The existing check has two problems:
> 1) i + count can overflow, so that the check '< 256' returns true.
> 2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
>
> This can trigger the assertion 'nut->header_len[0] == 0' or cause
> segmentation faults or infinite hangs.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavformat/nutdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> index 1bb2091..46946d3 100644
> --- a/libavformat/nutdec.c
> +++ b/libavformat/nutdec.c
> @@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
> while (tmp_fields-- > 8)
> ffio_read_varlen(bc);
>
> - if (count == 0 || i + count > 256) {
> + if (count <= 0 || (i > 'N' && count > 256 - i) || (i <= 'N' && count > 255 - i)) {
this could be simplfied to:
if (count <= 0 || count > 256 - (i <= 'N') - i)) {
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/56760e8f/attachment.asc>
More information about the ffmpeg-devel
mailing list