[FFmpeg-devel] [PATCH 2/2] avcodec/cdtoons: Fix off by 4 check on diff_size

Paul B Mahol onemda at gmail.com
Fri Feb 21 00:29:51 EET 2020


On 2/20/20, Michael Niedermayer <michaelni at gmx.at> wrote:
> On Thu, Feb 20, 2020 at 08:11:34PM +0100, Paul B Mahol wrote:
>> Are you sure this is correct?
>> Does asan reports exactly overread by 4?
>
> the next line passes diff_size - 8 as a unsigned data size
> if diff_size is smaller than 8, diff_size - 8 is very big and
> the overread checks which use that will misbehave
>

OK then.

>
> [...]
>> > @@ -269,7 +269,7 @@ static int cdtoons_decode_frame(AVCodecContext
>> > *avctx,
>> > void *data,
>> >                  diff_size  = bytestream_get_be32(&buf);
>> >                  width      = bytestream_get_be16(&buf);
>> >                  height     = bytestream_get_be16(&buf);
>> > -                if (diff_size < 4 || diff_size - 4 > eod - buf) {
>> > +                if (diff_size < 8 || diff_size - 4 > eod - buf) {
>> >                      av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out
>> > of
>> > data for Diff frame data.\n");
>> >                      return AVERROR_INVALIDDATA;
>> >                  }
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The misfortune of the wise is better than the prosperity of the fool.
> -- Epicurus
>


More information about the ffmpeg-devel mailing list