[FFmpeg-devel] [libav-devel] [PATCH 5/6] Fixed segfaults on corruped smaker streams in the decoder.
Michael Niedermayer
michaelni at gmx.at
Mon Sep 12 23:43:45 CEST 2011
On Mon, Sep 12, 2011 at 11:28:44PM +0200, Reimar Döffinger wrote:
> On Sun, Sep 11, 2011 at 07:56:46PM +0200, Laurent Aimar wrote:
> > @@ -653,6 +659,8 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
> > } else { //8-bit data
> > for(i = stereo; i >= 0; i--)
> > pred[i] = get_bits(&gb, 8);
> > + if (stereo + unp_size > data_size)
> > + return -1;
>
> This can overflow.
how ?
there is
if (unp_size & 0xC0000000 || unp_size > *data_size) {
av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
return -1;
}
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I have often repented speaking, but never of holding my tongue.
-- Xenocrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110912/bf5b2a7a/attachment.asc>
More information about the ffmpeg-devel
mailing list