[FFmpeg-devel] [PATCH] nutdec: check maxpos in read_sm_data before reading count
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sat Jun 27 17:53:26 CEST 2015
On 27.06.2015 02:31, Michael Niedermayer wrote:
> On Fri, Jun 26, 2015 at 07:28:36PM +0200, Andreas Cadhalpun wrote:
>> On 26.06.2015 01:36, Michael Niedermayer wrote:
>>> On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote:
>>>> Otherwise sm_size can be larger than size, which results in a negative
>>>> packet size.
>>>>
>>>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>>>> ---
>>>> libavformat/nutdec.c | 7 ++++++-
>>>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>>
>>>
>>>
>>>>
>>>> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
>>>> index 13fb399..43bd27b 100644
>>>> --- a/libavformat/nutdec.c
>>>> +++ b/libavformat/nutdec.c
>>>> @@ -888,7 +888,7 @@ fail:
>>>>
>>>> static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos)
>>>> {
>>>> - int count = ffio_read_varlen(bc);
>>>> + int count;
>>>> int skip_start = 0;
>>>> int skip_end = 0;
>>>> int channels = 0;
>>>> @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
>>>> int height = 0;
>>>> int i, ret;
>>>>
>>>> + if (avio_tell(bc) >= maxpos)
>>>> + return AVERROR_INVALIDDATA;
>>>> +
>>>> + count = ffio_read_varlen(bc);
>>>
>>> ffio_read_varlen() could move the position beyond maxpos yet return
>>> 0 so the loop with teh checks inside is skiped
>>
>> That is exactly the problem, because then sm_size can be larger than size.
>> An alternative would be to directly check for that, like in attached patch.
>
> wouldnt checking after the loop im read_sm_data() before returning
> success be more robust ?
> It would exit sooner if the problem occurs in the first call
> and avoid potential integer overflows
OK, new patch attached.
> but iam fine with any solution that works
Me too.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-nutdec-check-maxpos-in-read_sm_data-before-returning.patch
Type: text/x-diff
Size: 861 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150627/b15b2f9b/attachment.bin>
More information about the ffmpeg-devel
mailing list