[FFmpeg-devel] [PATCH] fix potential ff_mov_lang_to_iso639 segfault

Baptiste Coudurier baptiste.coudurier
Wed Jan 21 20:00:08 CET 2009 

Hi Aurel,

Aurelien Jacobs wrote:
> Hi,
> 
> ff_mov_lang_to_iso639() takes a code parameter as an int and uses it
> to address memory: mov_mdhd_language_map[code]
> There is proper upper bound check, but no lower bound check, so negative
> value of code could generate a segfault.
> Code is read directly from the mov bitstream, so specially crafted file
> could trigger this segfault.
> Attached patch changes code to unsigned to avoid this problem.
> It may solve the segfault reported in issue793 (an mp3 file miss-detected
> as mov).
> 
> Aurel
> 
> 
> ------------------------------------------------------------------------
> 
> Index: libavformat/isom.c
> ===================================================================
> --- libavformat/isom.c	(revision 16686)
> +++ libavformat/isom.c	(working copy)
> @@ -274,7 +274,7 @@
>      return code;
>  }
>  
> -int ff_mov_lang_to_iso639(int code, char *to)
> +int ff_mov_lang_to_iso639(unsigned int code, char *to)
>  {
>      int i;
>      /* is it the mangled iso code? */
> Index: libavformat/isom.h
> ===================================================================
> --- libavformat/isom.h	(revision 16686)
> +++ libavformat/isom.h	(working copy)
> @@ -33,7 +33,7 @@
>  extern const AVCodecTag ff_codec_movsubtitle_tags[];
>  
>  int ff_mov_iso639_to_lang(const char *lang, int mp4);
> -int ff_mov_lang_to_iso639(int code, char *to);
> +int ff_mov_lang_to_iso639(unsigned int code, char *to);
>  
>  typedef struct {
>      int count;
> Index: libavformat/mov.c
> ===================================================================
> --- libavformat/mov.c	(revision 16686)
> +++ libavformat/mov.c	(working copy)
> @@ -493,7 +493,7 @@
>      AVStream *st = c->fc->streams[c->fc->nb_streams-1];
>      MOVStreamContext *sc = st->priv_data;
>      int version = get_byte(pb);
> -    int lang;
> +    unsigned int lang;
>  
>      if (version > 1)
>          return -1; /* unsupported */
> 

Patch ok with "unsigned" instead of "unsigned int", shorter :>

-- 
Baptiste COUDURIER                              GnuPG Key Id: 0x5C1ABAAA
Key fingerprint                 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
checking for life_signs in -lkenny... no
FFmpeg maintainer                                  http://www.ffmpeg.org

More information about the ffmpeg-devel mailing list