[FFmpeg-devel] [libav-devel] [PATCH 5/6] Fixed segfaults on corruped smaker streams in the decoder.
Michael Niedermayer
michaelni at gmx.at
Tue Sep 13 00:37:16 CEST 2011
On Tue, Sep 13, 2011 at 12:23:48AM +0200, Michael Niedermayer wrote:
> On Tue, Sep 13, 2011 at 12:21:11AM +0200, Laurent Aimar wrote:
> > On Tue, Sep 13, 2011 at 12:16:50AM +0200, Michael Niedermayer wrote:
> > > On Tue, Sep 13, 2011 at 12:04:22AM +0200, Laurent Aimar wrote:
> > > > On Mon, Sep 12, 2011 at 11:59:56PM +0200, Michael Niedermayer wrote:
> > > > > On Mon, Sep 12, 2011 at 11:43:18PM +0200, Laurent Aimar wrote:
> > > > > > On Mon, Sep 12, 2011 at 11:28:44PM +0200, Reimar Döffinger wrote:
> > > > > > > On Sun, Sep 11, 2011 at 07:56:46PM +0200, Laurent Aimar wrote:
> > > > > > > > @@ -653,6 +659,8 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
> > > > > > > > } else { //8-bit data
> > > > > > > > for(i = stereo; i >= 0; i--)
> > > > > > > > pred[i] = get_bits(&gb, 8);
> > > > > > > > + if (stereo + unp_size > data_size)
> > > > > > > > + return -1;
> > > > > > >
> > > > > > > This can overflow.
> > > > > > > if (unp_size < 0 || unp_size > data_size - stereo)
> > > > > > > should probably be safe.
> > > > > > No it doesn't because of the surrounding code BUT I saw a bug
> > > > > > in this patch (data_size is a pointer, a '*' is missing)
> > > > >
> > > > > fixed
> > > > >
> > > > >
> > > > > >
> > > > > > It can also be made a bit simpler. I will propose a better patch
> > > > > > later.
> > > > >
> > > > > i guess you plan something like: ?
> > > > Nearly, this condition is a tad too strict when bits is 1.
> > > > I think it should be (unp_size & ~bits) + stereo > *data_size
> > >
> > > i think it should be:
> > > (unp_size & ~bits) + stereo*(bits+1) > *data_size
> >
> > ... yes :)
>
> ok, let me double check this one one more time and then ill push that
> cursed check ;)
the amount written and the amount the user app is told that was written
doesnt match:
*data_size = unp_size;
so it seems there are some bugs in the decoder
[....]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Frequently ignored awnser#1 FFmpeg bugs should be sent to our bugtracker. User
questions about the command line tools should be sent to the ffmpeg-user ML.
And questions about how to use libav* should be sent to the libav-user ML.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110913/97ad3adb/attachment.asc>
More information about the ffmpeg-devel
mailing list