[FFmpeg-devel] [PATCH 2/2] avcodec/cdtoons: Fix off by 4 check on diff_size
Michael Niedermayer
michaelni at gmx.at
Fri Feb 21 00:26:26 EET 2020
On Thu, Feb 20, 2020 at 08:11:34PM +0100, Paul B Mahol wrote:
> Are you sure this is correct?
> Does asan reports exactly overread by 4?
the next line passes diff_size - 8 as a unsigned data size
if diff_size is smaller than 8, diff_size - 8 is very big and
the overread checks which use that will misbehave
[...]
> > @@ -269,7 +269,7 @@ static int cdtoons_decode_frame(AVCodecContext *avctx,
> > void *data,
> > diff_size = bytestream_get_be32(&buf);
> > width = bytestream_get_be16(&buf);
> > height = bytestream_get_be16(&buf);
> > - if (diff_size < 4 || diff_size - 4 > eod - buf) {
> > + if (diff_size < 8 || diff_size - 4 > eod - buf) {
> > av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out of
> > data for Diff frame data.\n");
> > return AVERROR_INVALIDDATA;
> > }
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200220/351e78c1/attachment.sig>
More information about the ffmpeg-devel
mailing list