[FFmpeg-devel] AVDictionary for binary tags
Dmitry Kostjuchenko
dmitrykos at iauxsoft.com
Sat Jan 21 21:36:52 CET 2012
I agree that not nice thing will happen in these lines if binary data size
really exceeds 32-bit value of size_t on 32-bt platform (did not think about
such possibility). To fix the issue it is possible to do such comparison and
throw error:
if (len != (int64_t)(size_t)len)
return AVERROR(ENOMEM);
I updated patch with this change.
By the way, while making correction to my code, I noticed potentially weak
place in av_dict_set in line:
int len = strlen(oldval) + strlen(value) + 1;
Hipotetically len may become negative if oldval, value provide summ which
does not fit into signed integer. Faulty mem region pointed by oldval or
value may trigger this issue.
----- Original Message -----
From: "Reimar Döffinger" <Reimar.Doeffinger at gmx.de>
> First, no I don't think it will be, not with maliciously crafted files.
> Second, I actually meant the av_malloc (and realloc) in
> av_dict_set_binary.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch2.diff
Type: application/octet-stream
Size: 6994 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120121/7d4e4da6/attachment.obj>
More information about the ffmpeg-devel
mailing list