[FFmpeg-devel] [PATCH] rmdec.c: prevent zero-length packets
Kostya
kostya.shishkov
Tue Mar 17 06:30:40 CET 2009
On Mon, Mar 16, 2009 at 07:06:33PM -0400, Ronald S. Bultje wrote:
> Hi,
>
> re: Mans' patch and some more looking at rmdec.c, I think we've never
> really addressed the theoretical possibility of zero-length (empty)
> packets. I don't think any sane file would use them, but they wouldn't
> be invalid and would probably still lead to a crash because st is
> uninitialized right now. Just for the sake of preventing any
> theoretical exploits, I propose the attached patch.
>
> Ronald
It's funny that old format code used if(len <= 0) return AVERROR(EIO);
So, let's see:
for old format (RA28.8) audio they will be invalid
for ATRAC, COOK and SIPRO they will be invalid (because of fixed frame size)
for AC3 they _might_ exist but I doubt that decoder will accept zero packet
for AAC there is some header as well
for video they will be invalid (since any video packet has header)
Conclusion: len = 0 is not harmless, it's invalid.
More information about the ffmpeg-devel
mailing list