[FFmpeg-devel] [PATCH] lavu/avstring: check for overlong encodings
Stefano Sabatini
stefasab at gmail.com
Sat Aug 30 14:58:15 CEST 2014
On date Friday 2014-08-29 15:57:32 +0200, wm4 encoded:
> On Thu, 28 Aug 2014 17:39:27 +0200
> Stefano Sabatini <stefasab at gmail.com> wrote:
>
> > Fix reopened trac ticket #1163.
> > ---
> > libavutil/avstring.c | 13 ++++++++++++-
> > 1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavutil/avstring.c b/libavutil/avstring.c
> > index a63fb84..df27d5e 100644
> > --- a/libavutil/avstring.c
> > +++ b/libavutil/avstring.c
> > @@ -331,7 +331,10 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
> > const uint8_t *p = *bufp;
> > uint32_t top;
> > uint64_t code;
> > - int ret = 0;
> > + int ret = 0, tail_len;
> > + uint32_t overlong_encoding_mins[6] = {
> > + 0x00000000, 0x00000080, 0x00000800, 0x00010000, 0x00200000, 0x04000000,
> > + };
> >
> > if (p >= buf_end)
> > return 0;
> > @@ -346,8 +349,10 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
> > }
> > top = (code & 128) >> 1;
> >
> > + tail_len = 0;
> > while (code & top) {
> > int tmp;
> > + tail_len++;
> > if (p >= buf_end) {
> > (*bufp) ++;
> > return AVERROR(EILSEQ); /* incomplete sequence */
> > @@ -364,6 +369,12 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
> > }
> > code &= (top << 1) - 1;
> >
> > + /* check for overlong encodings */
> > + if (code < overlong_encoding_mins[tail_len]) {
> > + ret = AVERROR(EILSEQ);
> > + goto end;
> > + }
> > +
> > if (code >= 1<<31) {
> > ret = AVERROR(EILSEQ); /* out-of-range value */
> > goto end;
>
> Looks ok and simple to me. Is there a guarantee tail_len never
> becomes larger than 5?
It is mathematically impossible that the length will be larger than 5.
Added an assert for that though, alternatively I could add a check.
>
> Also note that libavcodec/utils.c contains the same check (but less
> readable) in utf8_check().
--
FFmpeg = Faithful Fundamentalist Most Power Enhancing Goblin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lavu-avstring-check-for-overlong-encodings.patch
Type: text/x-diff
Size: 1810 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140830/d6f28f01/attachment.bin>
More information about the ffmpeg-devel
mailing list