[FFmpeg-cvslog] mxfdec: Fix a potential DoS vector in mxf_read_pixel_layout()

Tomas Härdin git at videolan.org
Wed Oct 24 17:45:07 CEST 2012


ffmpeg | branch: master | Tomas Härdin <tomas.hardin at codemill.se> | Wed Oct 24 16:51:41 2012 +0200| [1d22d269f54cc7e44f778bb6ffee96a172eb07a1] | committer: Michael Niedermayer

mxfdec: Fix a potential DoS vector in mxf_read_pixel_layout()

There's a a potential DoS problem in this function. Say an MXF file is
created with a PixelLayout with a long run of non-zeroes. Such a file could be
sent quickly (packed) over the net and would unpack quite fast. mxfdec would
then read it byte-by-byte, which would take considerable time.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d22d269f54cc7e44f778bb6ffee96a172eb07a1
---

 libavformat/mxfdec.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 3f6b7d9..d4ab49f 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -792,7 +792,8 @@ static void mxf_read_pixel_layout(AVIOContext *pb, MXFDescriptor *descriptor)
         if (ofs <= 14) {
             layout[ofs++] = code;
             layout[ofs++] = value;
-        }
+        } else
+            break;  /* don't read byte by byte on sneaky files filled with lots of non-zeroes */
     } while (code != 0); /* SMPTE 377M E.2.46 */
 
     ff_mxf_decode_pixel_layout(layout, &descriptor->pix_fmt);



More information about the ffmpeg-cvslog mailing list