[FFmpeg-devel] [PATCH] Fixed size given to init_get_bits() in xan decoder.
Michael Niedermayer
michaelni at gmx.at
Sat Sep 10 01:37:44 CEST 2011
On Sat, Sep 10, 2011 at 12:40:31AM +0200, Laurent Aimar wrote:
> See the title.
[...]
> @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) {
> vector_segment = s->buf + AV_RL16(&s->buf[4]);
> imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
>
> - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size);
> + xan_huffman_decode(opcode_buffer, opcode_buffer_size,
> + huffman_segment, s->size - (huffman_segment - s->buf) );
something like the following could be used to find a tighter size bound
unsigned hsize= s->size - AV_RL16(s->buf);
for(i=2; i<8; i+=2)
hsize= FFMIN(hsize, AV_RL16(s->buf+i) - AV_RL16(s->buf));
also either way it needs something like:
for(i=0; i<8; i+=2)
if(AV_RL16(s->buf+i) >= s->size)
return -1;
without that the size could become negative, which doesnt seem right to
me
otherwise LGTM
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110910/f6973854/attachment.asc>
More information about the ffmpeg-devel
mailing list