[FFmpeg-devel] [PATCH] alsdec: validate time diff index

Michael Niedermayer michaelni at gmx.at
Sat Apr 18 20:42:58 CEST 2015 

On Sat, Apr 18, 2015 at 08:13:30PM +0200, Andreas Cadhalpun wrote:
> On 18.04.2015 20:05, Michael Niedermayer wrote:
> > On Sat, Apr 18, 2015 at 06:58:30PM +0200, Andreas Cadhalpun wrote:
> >> If begin is smaller than t, the subtraction 'begin -= t' wraps around,
> >> because begin is unsigned. The same applies for end < t.
> >>
> >> This causes segmentation faults.
> >>
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >>  libavcodec/alsdec.c | 8 ++++++++
> >>  1 file changed, 8 insertions(+)
> >>
> >> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
> >> index f85f1e8..ff6b6cf 100644
> >> --- a/libavcodec/alsdec.c
> >> +++ b/libavcodec/alsdec.c
> >> @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
> >>  
> >>              if (ch[dep].time_diff_sign) {
> >>                  t      = -t;
> >> +                if (begin < t) {
> >> +                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
> >> +                    return AVERROR_INVALIDDATA;
> >> +                }
> > 
> > begin is 1, t < 0 also the comparission is unsigned so t will overflow
> > in it
> 
> Sorry, I sent the wrong version of the patch. Fixed one attached.
> The t < 0 case is not problematic for the subtraction.
[...]
> @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
>  
>              if (ch[dep].time_diff_sign) {
>                  t      = -t;
> +                if (t > 0 && begin < t) {

time_diff_index is always positive, so t is always negative here
so this cant be true unless the context got corrupted or iam missing
something


> +                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
> +                    return AVERROR_INVALIDDATA;
> +                }
>                  begin -= t;
>              } else {
> +                if (t > 0 && end < t) {

and here t should always be > 0 so the test shouldnt be needed


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The bravest are surely those who have the clearest vision
of what is before them, glory and danger alike, and yet
notwithstanding go out to meet it. -- Thucydides
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150418/550cfe8a/attachment.asc>

More information about the ffmpeg-devel mailing list