[FFmpeg-devel] oggparsevorbis.c vorbis_comment: check for negative size

Attila Kinali attila
Sun Oct 7 12:42:13 CEST 2007


Moin,

I stumbled over follwoing bug:

---
Program received signal SIGSEGV, Segmentation fault.
vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
    at oggparsevorbis.c:51
51          n = AV_RL32(p);
(gdb) bt
#0  vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
    at oggparsevorbis.c:51
#1  0x0000000000600452 in vorbis_header (s=0xf11030, idx=<value optimized out>)
    at oggparsevorbis.c:198
(gdb) f 0
#0  vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
    at oggparsevorbis.c:51
51          n = AV_RL32(p);
(gdb) p p
$1 = 0xffffffff80f2a8d6 <Address 0xffffffff80f2a8d6 out of bounds>
(gdb) p s
$2 = -2147483619
(gdb) f 1
(gdb) p *os 
$4 = {buf = 0xf2a890 "\001vorbis", bufsize = 65307, bufpos = 115, pstart = 30, 
  psize = 85, serial = 1, seq = 1, granule = 0, lastgp = 0, flags = 0, 
  codec = 0xd3a1a0, header = -1, nsegs = 1, segp = 1, 
  segments = "U", '\0' <repeats 253 times>, private = 0xf1a170}
---

The segfault occures, because s is read from the file but only
checked to be smaller than the limit, but not whether it is
positive, resulting in an overflow when it is a big negative number.

Patch attached


			Attila Kinali


-- 
Linux ist... wenn man einfache Dinge auch mit einer kryptischen
post-fix Sprache loesen kann
                        -- Daniel Hottinger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_negative_size.diff
Type: text/x-diff
Size: 341 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071007/541ba3e7/attachment.diff>



More information about the ffmpeg-devel mailing list