[FFmpeg-devel] [PATCH 1/3] avcodec/h264dec: Fix potential array overread
Michael Niedermayer
michael at niedermayer.cc
Sun Oct 22 15:07:49 EEST 2017
On Sun, Oct 22, 2017 at 07:28:31AM -0400, Ronald S. Bultje wrote:
> Hi,
>
> On Sat, Oct 21, 2017 at 7:41 PM, Michael Niedermayer <michael at niedermayer.cc
> > wrote:
>
> > add padding before scantable arrays
> >
> > See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a
> >
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/h264dec.h | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/libavcodec/h264dec.h b/libavcodec/h264dec.h
> > index 2106ba077e..de8b7c38b9 100644
> > --- a/libavcodec/h264dec.h
> > +++ b/libavcodec/h264dec.h
> > @@ -416,6 +416,7 @@ typedef struct H264Context {
> > uint8_t (*mvd_table[2])[2];
> > uint8_t *direct_table;
> >
> > + uint8_t scan_padding[16];
> > uint8_t zigzag_scan[16];
> > uint8_t zigzag_scan8x8[64];
> > uint8_t zigzag_scan8x8_cavlc[64];
> > --
> > 2.14.2
>
>
> This is 16 bytes; isn't the space before it (the pointers) already
> providing that space? Or do you want it to be zero'ed so resulting indices
> can be used for writing into the coef array?
I wanted to ensure that the pointer cannot leak into the output.
Possibly giving an attacker information about the memory layout
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20171022/1e031567/attachment.sig>
More information about the ffmpeg-devel
mailing list