[FFmpeg-devel] [PATCH] dvenc: Prevent out-of-bounds read

Martin Vignali martin.vignali at gmail.com
Fri Nov 17 18:42:09 EET 2017


2017-11-17 17:20 GMT+01:00 Derek Buitenhuis <derek.buitenhuis at gmail.com>:

> mb_area_start has 5 entries, and 'a' is iterated through from 0 to 3.
> 'a2' is set to 'a + 1', and mb_area_start[a2 + 1] is accessed, so if
> a is 3, then we try to access mb_area_start[5].
>
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
> ---
> I'm not 100% sure if this fix is /correct/, so hopefully someone
> knows the DV code...
> ---
>  libavcodec/dvenc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c
> index ce2fc75daa..b79cbebb04 100644
> --- a/libavcodec/dvenc.c
> +++ b/libavcodec/dvenc.c
> @@ -383,7 +383,7 @@ static inline void dv_guess_qnos(EncBlockInfo *blks,
> int *qnos)
>                                  prev            = k;
>                              } else {
>                                  if (b->next[k] >= mb_area_start[a + 1] &&
> b->next[k] < 64) {
> -                                    for (a2 = a + 1; b->next[k] >=
> mb_area_start[a2 + 1]; a2++)
> +                                    for (a2 = a + 1; a2 < 4 && b->next[k]
> >= mb_area_start[a2 + 1]; a2++)
>                                          b->prev[a2] = prev;
>                                      av_assert2(a2 < 4);
>                                      av_assert2(b->mb[b->next[k]]);
> --
>
>
Hello,

doesn't know the dvenc code,
but you seems to test the assert of the next line

Maybe move the assert (a2 < 4); before the for loop, if it's a theorical
case,
or remove it if this case can really happen.

Martin


More information about the ffmpeg-devel mailing list