[FFmpeg-devel] [PATCH] fix potential ff_mov_lang_to_iso639 segfault

Aurelien Jacobs aurel
Wed Jan 21 23:32:47 CET 2009 

Baptiste Coudurier wrote:

> Hi Aurel,
> 
> Aurelien Jacobs wrote:
> > Hi,
> > 
> > ff_mov_lang_to_iso639() takes a code parameter as an int and uses it
> > to address memory: mov_mdhd_language_map[code]
> > There is proper upper bound check, but no lower bound check, so negative
> > value of code could generate a segfault.
> > Code is read directly from the mov bitstream, so specially crafted file
> > could trigger this segfault.
> > Attached patch changes code to unsigned to avoid this problem.
> > It may solve the segfault reported in issue793 (an mp3 file miss-detected
> > as mov).
> > 
> > Aurel
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > Index: libavformat/isom.c
> > ===================================================================
> > --- libavformat/isom.c	(revision 16686)
> > +++ libavformat/isom.c	(working copy)
> > @@ -274,7 +274,7 @@
> >      return code;
> >  }
> >  
> > -int ff_mov_lang_to_iso639(int code, char *to)
> > +int ff_mov_lang_to_iso639(unsigned int code, char *to)
> >  {
> >      int i;
> >      /* is it the mangled iso code? */
> > Index: libavformat/isom.h
> > ===================================================================
> > --- libavformat/isom.h	(revision 16686)
> > +++ libavformat/isom.h	(working copy)
> > @@ -33,7 +33,7 @@
> >  extern const AVCodecTag ff_codec_movsubtitle_tags[];
> >  
> >  int ff_mov_iso639_to_lang(const char *lang, int mp4);
> > -int ff_mov_lang_to_iso639(int code, char *to);
> > +int ff_mov_lang_to_iso639(unsigned int code, char *to);
> >  
> >  typedef struct {
> >      int count;
> > Index: libavformat/mov.c
> > ===================================================================
> > --- libavformat/mov.c	(revision 16686)
> > +++ libavformat/mov.c	(working copy)
> > @@ -493,7 +493,7 @@
> >      AVStream *st = c->fc->streams[c->fc->nb_streams-1];
> >      MOVStreamContext *sc = st->priv_data;
> >      int version = get_byte(pb);
> > -    int lang;
> > +    unsigned int lang;
> >  
> >      if (version > 1)
> >          return -1; /* unsupported */
> > 
> 
> Patch ok with "unsigned" instead of "unsigned int", shorter :>

OK. Applied with unsigned.

Aurel

More information about the ffmpeg-devel mailing list