[FFmpeg-devel] oggparsevorbis.c vorbis_comment: check for negative size
Attila Kinali
attila
Sun Oct 7 12:42:13 CEST 2007
Moin,
I stumbled over follwoing bug:
---
Program received signal SIGSEGV, Segmentation fault.
vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
at oggparsevorbis.c:51
51 n = AV_RL32(p);
(gdb) bt
#0 vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
at oggparsevorbis.c:51
#1 0x0000000000600452 in vorbis_header (s=0xf11030, idx=<value optimized out>)
at oggparsevorbis.c:198
(gdb) f 0
#0 vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
at oggparsevorbis.c:51
51 n = AV_RL32(p);
(gdb) p p
$1 = 0xffffffff80f2a8d6 <Address 0xffffffff80f2a8d6 out of bounds>
(gdb) p s
$2 = -2147483619
(gdb) f 1
(gdb) p *os
$4 = {buf = 0xf2a890 "\001vorbis", bufsize = 65307, bufpos = 115, pstart = 30,
psize = 85, serial = 1, seq = 1, granule = 0, lastgp = 0, flags = 0,
codec = 0xd3a1a0, header = -1, nsegs = 1, segp = 1,
segments = "U", '\0' <repeats 253 times>, private = 0xf1a170}
---
The segfault occures, because s is read from the file but only
checked to be smaller than the limit, but not whether it is
positive, resulting in an overflow when it is a big negative number.
Patch attached
Attila Kinali
--
Linux ist... wenn man einfache Dinge auch mit einer kryptischen
post-fix Sprache loesen kann
-- Daniel Hottinger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_negative_size.diff
Type: text/x-diff
Size: 341 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071007/541ba3e7/attachment.diff>
More information about the ffmpeg-devel
mailing list