[FFmpeg-devel] [PATCH 1/3] avcodec/h264dec: Fix potential array overread

Paul B Mahol onemda at gmail.com
Sun Oct 22 17:31:50 EEST 2017


On 10/22/17, Michael Niedermayer <michael at niedermayer.cc> wrote:
> On Sun, Oct 22, 2017 at 07:28:31AM -0400, Ronald S. Bultje wrote:
>> Hi,
>>
>> On Sat, Oct 21, 2017 at 7:41 PM, Michael Niedermayer
>> <michael at niedermayer.cc
>> > wrote:
>>
>> > add padding before scantable arrays
>> >
>> > See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a
>> >
>> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>> > ---
>> >  libavcodec/h264dec.h | 1 +
>> >  1 file changed, 1 insertion(+)
>> >
>> > diff --git a/libavcodec/h264dec.h b/libavcodec/h264dec.h
>> > index 2106ba077e..de8b7c38b9 100644
>> > --- a/libavcodec/h264dec.h
>> > +++ b/libavcodec/h264dec.h
>> > @@ -416,6 +416,7 @@ typedef struct H264Context {
>> >      uint8_t (*mvd_table[2])[2];
>> >      uint8_t *direct_table;
>> >
>> > +    uint8_t scan_padding[16];
>> >      uint8_t zigzag_scan[16];
>> >      uint8_t zigzag_scan8x8[64];
>> >      uint8_t zigzag_scan8x8_cavlc[64];
>> > --
>> > 2.14.2
>>
>>
>> This is 16 bytes; isn't the space before it (the pointers) already
>> providing that space? Or do you want it to be zero'ed so resulting
>> indices
>> can be used for writing into the coef array?
>
> I wanted to ensure that the pointer cannot leak into the output.
> Possibly giving an attacker information about the memory layout

Can we expect more of such patches in future?


More information about the ffmpeg-devel mailing list