[Ffmpeg-devel] Buffer overflow in ffdca

Michael Niedermayer michaelni
Fri Apr 27 07:32:23 CEST 2007


Hi

On Fri, Apr 27, 2007 at 03:36:37AM +0300, Uoti Urpala wrote:
> The loop at line 1104 doesn't check that the packet fits in the output
> buffer.
> 
> Maybe that was caused by confusion about how the bitstream writer works
> - the code gives the output buffer size to init_put_bits(), but the
> writer will just ignore that.

adding a

if((unsigned)src_size > (unsigned)max_size)
    return -1;

at the top of the function should fix that, also the FFMIN could then be
removed, but it would waste 1/8 of the buffer

if there are no objections or other suggestions then ill commit that 
in a few hours

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070427/9955a61b/attachment.pgp>



More information about the ffmpeg-devel mailing list