[FFmpeg-devel] [PATCH] avformat/aaxdec: Fix potential integer overflow
Paul B Mahol
onemda at gmail.com
Sun Sep 20 21:04:30 EEST 2020
On Sun, Sep 20, 2020 at 06:16:57PM +0200, Andreas Rheinhardt wrote:
> The AAX demuxer reads a 32bit number containing the amount of entries
> of an array and stores it in an uint32_t. Yet when iterating over this
> array, a loop counter of type int is used. This leads to undefined
> behaviour if the amount of entries is not in the range of int; to avoid
> this, it is generally good to use the same type for the loop counter as
> for the variable it is compared to. This is done in one of the two loops
> affected by this.
>
> In the other loop, the undefined behaviour can begin even earlier: Here
> the loop counter is multiplied by an uint16_t which can overflow as soon
> as the loop counter is > 2^15. Using an unsigned type would avoid the
> undefined behaviour, but truncation would still be possible, so use an
> uint64_t.
>
> Also use an uint32_t for a variable containing an index in said array.
>
> This fixes Coverity issue #1466767.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---
> This is untested as I could only find out that this is a gaming format.
>
lgtm
> libavformat/aaxdec.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
> index cfd2e10a15..3db6e9bc6d 100644
> --- a/libavformat/aaxdec.c
> +++ b/libavformat/aaxdec.c
> @@ -51,7 +51,7 @@ typedef struct AAXContext {
> int64_t strings_size;
> char *string_table;
>
> - int current_segment;
> + uint32_t current_segment;
>
> AAXColumn *xcolumns;
> AAXSegment *segments;
> @@ -239,7 +239,7 @@ static int aax_read_header(AVFormatContext *s)
> flag = a->xcolumns[c].flag;
> col_offset = a->xcolumns[c].offset;
>
> - for (int r = 0; r < a->nb_segments; r++) {
> + for (uint64_t r = 0; r < a->nb_segments; r++) {
> if (flag & COLUMN_FLAG_DEFAULT) {
> data_offset = a->schema_offset + col_offset;
> } else if (flag & COLUMN_FLAG_ROW) {
> @@ -330,7 +330,7 @@ static int aax_read_packet(AVFormatContext *s, AVPacket *pkt)
>
> pkt->pos = avio_tell(pb);
>
> - for (int seg = 0; seg < a->nb_segments; seg++) {
> + for (uint32_t seg = 0; seg < a->nb_segments; seg++) {
> int64_t start = a->segments[seg].start;
> int64_t end = a->segments[seg].end;
>
> --
> 2.25.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list