[FFmpeg-soc] BFI Decoder

Sisir Koppaka sisir.koppaka at gmail.com
Wed Apr 16 23:21:28 CEST 2008


On Thu, Apr 17, 2008 at 2:48 AM, Mike Melanson <mike at multimedia.cx> wrote:

> Sisir Koppaka wrote:
> > On Thu, Apr 17, 2008 at 2:31 AM, Michael Niedermayer <michaelni at gmx.at>
> > wrote:
> >
> >> [...]
> >>>     while (dst != frame_end) {
> >>>         byte = *buf++;
> >>>         code = byte >> 6;
> >>>         length = byte & ~0xC0;
> >>>         switch (code) {
> >>>         case 0:                //Normal Chain
> >>>             if (length == 0) {
> >>>                 length = bytestream_get_le16(&buf);
> >>>             }
> >>>             bytestream_get_buffer(&buf, dst, length);
> >> exploitable
> >>
> > Do you mean like if somebody changes the dst pointer to point to some
> other
> > stuff? I can think of alternatives like reading byte-by-byte, using
> similar
> > functions, but in all of them, the dst pointer could be changed...if
> that's
> > the exploitable code here. If I'm wrong, can you please explain?
>
> Where does length come from? User input. So I craft a malicious file
> that has an outrageous size. That instructs bytestream_get_buffer() to
> read a huge amount of data from the file into dst.
>
> At best, it could crash.
>
> At worst, tricks could be played to execute code.
>
> Exploitable. Make sure that length <= the number of valid bytes pointed
> to by dst.
>
Oh, thanks. I should be a bit more cunning to get these sort of ideas... :)
-----------------
Sisir Koppaka



More information about the FFmpeg-soc mailing list