[FFmpeg-cvslog] lavu/avstring: check for overlong encodings in	av_utf8_decode()
    Stefano Sabatini 
    git at videolan.org
       
    Mon Sep  1 10:49:47 CEST 2014
    
    
  
ffmpeg | branch: master | Stefano Sabatini <stefasab at gmail.com> | Thu Aug 28 17:37:27 2014 +0200| [d4ec07dfe7dbc86e8f6403781c511b9463a526d2] | committer: Stefano Sabatini
lavu/avstring: check for overlong encodings in av_utf8_decode()
Fix reopened trac ticket #1163.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4ec07dfe7dbc86e8f6403781c511b9463a526d2
---
 libavutil/avstring.c |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/libavutil/avstring.c b/libavutil/avstring.c
index a63fb84..fd010e4 100644
--- a/libavutil/avstring.c
+++ b/libavutil/avstring.c
@@ -27,6 +27,7 @@
 #include "config.h"
 #include "common.h"
 #include "mem.h"
+#include "avassert.h"
 #include "avstring.h"
 #include "bprint.h"
 
@@ -331,7 +332,10 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
     const uint8_t *p = *bufp;
     uint32_t top;
     uint64_t code;
-    int ret = 0;
+    int ret = 0, tail_len;
+    uint32_t overlong_encoding_mins[6] = {
+        0x00000000, 0x00000080, 0x00000800, 0x00010000, 0x00200000, 0x04000000,
+    };
 
     if (p >= buf_end)
         return 0;
@@ -346,8 +350,10 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
     }
     top = (code & 128) >> 1;
 
+    tail_len = 0;
     while (code & top) {
         int tmp;
+        tail_len++;
         if (p >= buf_end) {
             (*bufp) ++;
             return AVERROR(EILSEQ); /* incomplete sequence */
@@ -364,6 +370,13 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
     }
     code &= (top << 1) - 1;
 
+    /* check for overlong encodings */
+    av_assert0(tail_len <= 5);
+    if (code < overlong_encoding_mins[tail_len]) {
+        ret = AVERROR(EILSEQ);
+        goto end;
+    }
+
     if (code >= 1<<31) {
         ret = AVERROR(EILSEQ);  /* out-of-range value */
         goto end;
    
    
More information about the ffmpeg-cvslog
mailing list