[Ffmpeg-cvslog] r5487 - trunk/libavcodec/parser.c

Måns Rullgård mru
Sat Jun 17 13:25:28 CEST 2006


Michael Niedermayer <michaelni at gmx.at> writes:

> Hi
>
> On Fri, Jun 16, 2006 at 10:41:34PM +0200, mru wrote:
>> Author: mru
>> Date: Fri Jun 16 22:41:33 2006
>> New Revision: 5487
>> 
>> Modified:
>>    trunk/libavcodec/parser.c
>> 
>> Log:
>> The AAC frame header uses 13 bits for the frame size, so the buffer should
>> have room for such a frame.  A frame that large seems unlikely in a valid
>> file, but leaving room for it spares us the need to check it elsewhere.
>> Moving the buffer to the end of the struct made debugging this easier.
>> 
>> 
>> Modified: trunk/libavcodec/parser.c
>> ==========================================================================
>> --- trunk/libavcodec/parser.c	(original)
>> +++ trunk/libavcodec/parser.c	Fri Jun 16 22:41:33 2006
>> @@ -729,12 +729,12 @@
>>  
>>  /* also used for ADTS AAC */
>>  typedef struct AC3ParseContext {
>> -    uint8_t inbuf[4096]; /* input buffer */
>>      uint8_t *inbuf_ptr;
>>      int frame_size;
>>      int header_size;
>>      int (*sync)(const uint8_t *buf, int *channels, int *sample_rate,
>>                  int *bit_rate, int *samples);
>> +    uint8_t inbuf[8192]; /* input buffer */
>
> hmm, isnt that also a security fix, i mean that if something writes
> over the end of inbuf then it would also overwrite the following
> function pointer sync() amongth other things ...

You could look at it that way, but now it will just overwrite
something else instead.  Anyhow, the buffer is now large enough that
writing past the end should be impossible.

-- 
M?ns Rullg?rd
mru at inprovide.com




More information about the ffmpeg-cvslog mailing list