[FFmpeg-devel] [PATCH] asfdec fixes
Michael Niedermayer
michaelni
Sat Dec 11 20:34:05 CET 2010
On Sat, Dec 11, 2010 at 06:40:51PM +0100, Reimar D?ffinger wrote:
> On Sat, Dec 11, 2010 at 05:16:13PM +0100, Michael Niedermayer wrote:
> > On Sat, Dec 11, 2010 at 02:48:09PM +0100, Reimar D?ffinger wrote:
> > [...]
> > > @@ -977,7 +980,8 @@
> > > av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span (%d %d %d)\n", asf_st->pkt.size, asf_st->ds_packet_size, asf_st->ds_span);
> > > }else{
> > > /* packet descrambling */
> > > - uint8_t *newdata = av_malloc(asf_st->pkt.size);
> > > + uint8_t *newdata = av_malloc(asf_st->pkt.size + FF_INPUT_BUFFER_PADDING_SIZE);
> > > + memset(newdata + asf_st->pkt.size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
> > > if (newdata) {
> > > int offset = 0;
> > > while (offset < asf_st->pkt.size) {
> >
> > this is missing a malloc failure check which could lead to you are writing zeros
> > at a user specified place
>
> Not so much missing as that I misplaced the line.
> Though it is a bit silly that the code silently returns the scrambled
> packet if it runs out of memory.
true
> I really feel like I've been stumbling around in the dirties parts of FFmpeg today.
the asf demuxer is a dirty & complex beast, to a part because asf is a
dirty mess.
> Anyway, update that part so it at least shouldn't be exploitable.
> Index: ffmpeg/libavformat/asfdec.c
> ===================================================================
> --- ffmpeg/libavformat/asfdec.c (revision 25928)
> +++ ffmpeg/libavformat/asfdec.c (working copy)
lgtm
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The worst form of inequality is to try to make unequal things equal.
-- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101211/56dfd5c1/attachment.pgp>
More information about the ffmpeg-devel
mailing list