[FFmpeg-devel] get_bits overrun checking from Google Chrome patches
Robert Swain
robert.swain
Tue Sep 8 02:29:27 CEST 2009
Hello,
It seems there's an issue with some code in the AAC decoder where
parsing a file can cause overrunning of the end of the file by calling
get_bits() when there are not enough bits left to get.
Google have made this patch to add some overrun checking to get_bits():
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/ugly/17_get_bits_overrun.patch
To quote their comments:
+ /* Ugly, but clients of this bit reader do not seem to check for enough
+ * data before calling. So we'll return 0's on overrun rather than crashing
+ * with random read faults.
+ */
An example of the application of this is to set buffer_enforcing after
calling init_get_bits() and then check buffer_exhausted after calling
get_bits() and erroring out appropriately.
The case in the AAC decoder is:
while ((elem_type = get_bits(&gb, 3)) != TYPE_END) {
...
I'm actually a little surprised we didn't spot and remedy this
earlier. Any suggestions for any cleaner solutions than Google's
proposition?
Best regards,
Rob
More information about the ffmpeg-devel
mailing list