[FFmpeg-devel] patch for mpegaudiodec.c to prevent buffer read-access overflow
Michael Niedermayer
michaelni
Thu Mar 12 02:30:20 CET 2009
On Wed, Mar 11, 2009 at 01:35:31PM -0500, Francois Oligny-Lemieux wrote:
> Hi,
> I identified a place in mpegaudiodec.c where a crash could (and in my case
> was) happening from time to time. The crash will happen when the audio
> header is corrupted. The original code was doing buf++ while searching for
> the header without any consideration for the buffer end causing an overflow
> and eventually a read-access violation. Also after a successful resync, the
> code was not adjusting the buffer_size.
>
> I attached a patch containing the fix I'm using for this problem, but feel
> free to make your own changes to it.
>
> Francois
> Index: mpegaudiodec.c
> ===================================================================
> --- mpegaudiodec.c (revision 17942)
> +++ mpegaudiodec.c (working copy)
> @@ -2264,6 +2264,7 @@
> uint32_t header;
> int out_size;
> OUT_INT *out_samples = data;
> + uint8_t * buf_end = buf + buf_size;
>
> retry:
> if(buf_size < HEADER_SIZE)
> @@ -2274,8 +2275,12 @@
> buf++;
> // buf_size--;
> av_log(avctx, AV_LOG_ERROR, "Header missing skipping one byte.\n");
> + if ( buf + 3 > buf_end ){
> + return -1; // will overflow
> + }
> goto retry;
> }
> + buf_size = buf_end - buf;
considering that there is a check after retry and you dont fix the existing
check but rather add a second messy check
rejected
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you really think that XML is the answer, then you definitly missunderstood
the question -- Attila Kinali
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090312/447ddfd0/attachment.pgp>
More information about the ffmpeg-devel
mailing list