[FFmpeg-devel] oggparsevorbis.c vorbis_comment: check for negative size
Måns Rullgård
mans
Thu Oct 11 01:01:24 CEST 2007
Attila Kinali <attila at kinali.ch> writes:
> Moin,
>
> I stumbled over follwoing bug:
>
> ---
> Program received signal SIGSEGV, Segmentation fault.
> vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
> at oggparsevorbis.c:51
> 51 n = AV_RL32(p);
> (gdb) bt
> #0 vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
> at oggparsevorbis.c:51
> #1 0x0000000000600452 in vorbis_header (s=0xf11030, idx=<value optimized out>)
> at oggparsevorbis.c:198
> (gdb) f 0
> #0 vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
> at oggparsevorbis.c:51
> 51 n = AV_RL32(p);
> (gdb) p p
> $1 = 0xffffffff80f2a8d6 <Address 0xffffffff80f2a8d6 out of bounds>
> (gdb) p s
> $2 = -2147483619
> (gdb) f 1
> (gdb) p *os
> $4 = {buf = 0xf2a890 "\001vorbis", bufsize = 65307, bufpos = 115, pstart = 30,
> psize = 85, serial = 1, seq = 1, granule = 0, lastgp = 0, flags = 0,
> codec = 0xd3a1a0, header = -1, nsegs = 1, segp = 1,
> segments = "U", '\0' <repeats 253 times>, private = 0xf1a170}
> ---
>
> The segfault occures, because s is read from the file but only
> checked to be smaller than the limit, but not whether it is
> positive, resulting in an overflow when it is a big negative number.
Hopefully fixed. I didn't see a sample so I can't verify it.
--
M?ns Rullg?rd
mans at mansr.com
More information about the ffmpeg-devel
mailing list