[Ffmpeg-cvslog] r7889 - trunk/libavcodec/mpeg12.c

Michael Niedermayer michaelni
Sun Feb 11 01:04:34 CET 2007 

Hi

On Sun, Feb 11, 2007 at 01:21:11AM +0200, Ivan Kalvachev wrote:
> 2007/2/9, michael <subversion at mplayerhq.hu>:
> >Author: michael
> >Date: Fri Feb  9 03:21:34 2007
> >New Revision: 7889
> >
> >Modified:
> >   trunk/libavcodec/mpeg12.c
> >
> >Log:
> >fix segfault with lol-ffplay2.mpg (dunno if this is exploitable, probably 
> >not easily)
> >
> >
> >Modified: trunk/libavcodec/mpeg12.c
> >==============================================================================
> >--- trunk/libavcodec/mpeg12.c   (original)
> >+++ trunk/libavcodec/mpeg12.c   Fri Feb  9 03:21:34 2007
> >@@ -2593,6 +2593,10 @@
> >             break;
> >         }
> >     }
> >+    if(s->mb_x >= (unsigned)s->mb_width){
> >+        av_log(s->avctx, AV_LOG_ERROR, "initial skip overflow\n");
> >+        return -1;
> >+    }
> >
> >     s->resync_mb_x= s->mb_x;
> >     s->resync_mb_y= s->mb_y= mb_y;
> 
> Are you sure this is error condition?

yes


> 
> I don't see anything in mpeg standards that indicates so. even contrary.

---
slice_vertical_position --  This is given by the last eight bits of
the slice_start_code. It is an unsigned integer giving the vertical
position in macroblock units of the first macroblock in the slice.
The slice_vertical_position of the first row of macroblocks is one.
 Some slices may have the same slice_vertical_position, since
slices may start and finish anywhere.  Note that the
slice_vertical_position is constrained by Clause 2.4.1 to define
non-overlapping slices with no gaps between them. The maximum value
of slice_vertical_position is 175.
---

now if mb_x >= mb_width then the first mb would be at height 
slice_vertical_position+1 violating the above

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/attachments/20070211/9c01c70f/attachment.pgp>

More information about the ffmpeg-cvslog mailing list