[FFmpeg-devel] [PATCH] dvenc: Prevent out-of-bounds read

Michael Niedermayer michael at niedermayer.cc
Fri Nov 17 19:37:16 EET 2017


On Fri, Nov 17, 2017 at 04:20:55PM +0000, Derek Buitenhuis wrote:
> mb_area_start has 5 entries, and 'a' is iterated through from 0 to 3.
> 'a2' is set to 'a + 1', and mb_area_start[a2 + 1] is accessed, so if
> a is 3, then we try to access mb_area_start[5].
> 
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
> ---
> I'm not 100% sure if this fix is /correct/, so hopefully someone
> knows the DV code...
> ---
>  libavcodec/dvenc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c
> index ce2fc75daa..b79cbebb04 100644
> --- a/libavcodec/dvenc.c
> +++ b/libavcodec/dvenc.c
> @@ -383,7 +383,7 @@ static inline void dv_guess_qnos(EncBlockInfo *blks, int *qnos)
>                                  prev            = k;
>                              } else {
>                                  if (b->next[k] >= mb_area_start[a + 1] && b->next[k] < 64) {
> -                                    for (a2 = a + 1; b->next[k] >= mb_area_start[a2 + 1]; a2++)
> +                                    for (a2 = a + 1; a2 < 4 && b->next[k] >= mb_area_start[a2 + 1]; a2++)
>                                          b->prev[a2] = prev;
>                                      av_assert2(a2 < 4);

hmm, i cant really remember this clearly but from looking at the code
it looks like this is the logic:
b->next[k] < 64
b->next[k] >= mb_area_start[a + 1] implies mb_area_start[a + 1] < 64
which implies a < 3
and a2 < 4 on the first iteration so the first is still in the array
subsequently, b->next[k] >= mb_area_start[a2 + 1] exists before the end
as b->next[k] < 64 and the last entry being 64


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20171117/bff13dc7/attachment.sig>


More information about the ffmpeg-devel mailing list