[FFmpeg-devel] [PATCH] dvbsubdec: check against buffer overreads
Måns Rullgård
mans
Thu Feb 10 00:48:37 CET 2011
Janne Grunau <janne-ffmpeg at jannau.net> writes:
> On Wed, Feb 09, 2011 at 11:23:54PM +0000, M?ns Rullg?rd wrote:
>> Janne Grunau <janne-ffmpeg at jannau.net> writes:
>>
>> > @@ -1437,6 +1439,11 @@ static int dvbsub_decode(AVCodecContext *avctx,
>> > segment_length = AV_RB16(p);
>> > p += 2;
>> >
>> > + if (p+segment_length > p_end) {
>> > + av_dlog(avctx, "incomplete packet");
>> > + return -1;
>> > + }
>>
>> Not overflow-safe. If the buffer is near the top of the address space,
>> adding an oversize segment_length could make it wrap. More generally,
>> the C standard makes so much as calculating an invalid address undefined
>> behaviour.
>>
>> The correct test for error here is (p_end - p < segment_length).
>
> thanks, fixed
>
> Janne
> ---8<---
> Signed-off-by: Janne Grunau <janne-ffmpeg at jannau.net>
> ---
> libavcodec/dvbsubdec.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c
> index 401144f..dbeb24a 100644
> --- a/libavcodec/dvbsubdec.c
> +++ b/libavcodec/dvbsubdec.c
> @@ -1423,13 +1423,15 @@ static int dvbsub_decode(AVCodecContext *avctx,
>
> #endif
>
> - if (buf_size <= 2 || *buf != 0x0f)
> + if (buf_size <= 6 || *buf != 0x0f) {
> + av_dlog(avctx, "incomplete or broken packet");
> return -1;
> + }
>
> p = buf;
> p_end = buf + buf_size;
>
> - while (p < p_end && *p == 0x0f) {
> + while (p+6 < p_end && *p == 0x0f) {
This one can also overflow.
--
M?ns Rullg?rd
mans at mansr.com
More information about the ffmpeg-devel
mailing list