[FFmpeg-devel] oggparsevorbis.c vorbis_comment: check for negative size

Måns Rullgård mans
Thu Oct 11 01:01:24 CEST 2007


Attila Kinali <attila at kinali.ch> writes:

> Moin,
>
> I stumbled over follwoing bug:
>
> ---
> Program received signal SIGSEGV, Segmentation fault.
> vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
>     at oggparsevorbis.c:51
> 51          n = AV_RL32(p);
> (gdb) bt
> #0  vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
>     at oggparsevorbis.c:51
> #1  0x0000000000600452 in vorbis_header (s=0xf11030, idx=<value optimized out>)
>     at oggparsevorbis.c:198
> (gdb) f 0
> #0  vorbis_comment (as=0xf11030, buf=<value optimized out>, size=-2147483604)
>     at oggparsevorbis.c:51
> 51          n = AV_RL32(p);
> (gdb) p p
> $1 = 0xffffffff80f2a8d6 <Address 0xffffffff80f2a8d6 out of bounds>
> (gdb) p s
> $2 = -2147483619
> (gdb) f 1
> (gdb) p *os 
> $4 = {buf = 0xf2a890 "\001vorbis", bufsize = 65307, bufpos = 115, pstart = 30, 
>   psize = 85, serial = 1, seq = 1, granule = 0, lastgp = 0, flags = 0, 
>   codec = 0xd3a1a0, header = -1, nsegs = 1, segp = 1, 
>   segments = "U", '\0' <repeats 253 times>, private = 0xf1a170}
> ---
>
> The segfault occures, because s is read from the file but only
> checked to be smaller than the limit, but not whether it is
> positive, resulting in an overflow when it is a big negative number.

Hopefully fixed.  I didn't see a sample so I can't verify it.

-- 
M?ns Rullg?rd
mans at mansr.com




More information about the ffmpeg-devel mailing list