[FFmpeg-trac] #554(avcodec:new): Buffer overflow in dvbsubdec.c
FFmpeg
trac at avcodec.org
Fri Oct 14 13:00:30 CEST 2011
#554: Buffer overflow in dvbsubdec.c
---------------------------------+--------------------------------------
Reporter: mihnea | Type: defect
Status: new | Priority: normal
Component: avcodec | Version: git-master
Keywords: dvbsub | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+--------------------------------------
Hi.
The function dvbsub_parse_pixel_data_block() in libavcodec/dvbsubdec.c is
prone to overflowing the region->pbuf buffer. That buffer is
region->width*region->height bytes in length, but the check for overflow
is done like this:
if (x_pos > region->width || y_pos > region->height)
The comparisons should obviously use greater than equal instead of
greater, since you never want to write at region->height * region->width +
something. However, if I change them, the "invalid object location"
message triggers all the time because y_pos is incremented a few lines
above like this:
if ((y_pos & 1) != top_bottom)
y_pos++;
I suppose this is trying to align the starting line to odd or even to
account for interlacing. I'm not sure how this works for progressive
streams since I don't know anything about how DVB subtitles are encoded,
but with a progressive stream it always reaches this piece of code with
y_pos = region->height - 1, so the increment makes y_pos invalid, causing
a buffer overflow with the current code, or triggering the error message
if the comparison is fixed.
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/554>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list