[Ffmpeg-devel] PIX_FMT_PAL8 seg fault
Michael Niedermayer
michaelni
Fri Dec 2 01:25:44 CET 2005
Hi
On Wed, Nov 30, 2005 at 02:11:08PM +0000, Simon Kilvington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> there is a bug in libavcodec when it decodes small (eg 1x1)
> PIX_FMT_PAL8 format images - the get_buffer function
> avcodec_default_get_buffer doesn't alloc enough space for the palette
> entries, so when the palette data gets copied into the data[1] array it
> overflows the buffer on the heap and causes a seg fault the next time
> you use free/malloc (actually it does alloc enough space in base[1], but
> data[1] points to the middle of the buffer, so it overflows)
>
> this is probably exploitable
>
> you can trigger the bug by using avcodec_decode_video to read a
> 1x1 PNG file with a palette, calling avcodec_close afterwards causes a
> seg fault in glibc inside free
>
> I've attached a patch to fix it, it works for me, but it's a bit
> of a hack so someone who knows more about libavcodec probably should
> have a look at it
should be fixed
[...]
--
Michael
More information about the ffmpeg-devel
mailing list