[FFmpeg-devel] [BUG] UTF-8 decoder vulnerable to character spoofing attacks

Michael Niedermayer michaelni
Mon Oct 22 17:31:18 CEST 2007 

Hi

On Mon, Oct 22, 2007 at 10:24:41AM -0400, Rich Felker wrote:
> The UTF-8 decoder in libavutil has a classic bug where it incorrectly
> decodes illegal sequences as aliases for valid characters. For
> instance, the sequence "C0 80" will decode to NUL, and the sequence
> "C0 AF" will decode to '/'. Aside from possible direct vulnerabilities
> (of which there are probably none at present, but I have not checked),

> this can lead to indirect problems by allowing illegal sequences to
> get into files generated by ffmpeg, causing problems for other
> processes interpreting the files.

well, i dont see how any change to GET_UTF8 could affect that.
UTF8 generated by ffmpeg should be valid, UTF8 input into ffmpeg gets
stored in the output files without ever being touched by GET_UTF8
we could add some code to check the validity of UTF8 strings but iam
not sure if this is ffmpegs job, if the user feeds ffmpeg with invalid
data and asks it to copy it why shouldnt it?

should we also decode the video stream for stream copy to ensure its not
damaged?


> 
> In addition, the code fails to detect illegal sequences beginning with
> more than 4 bits equal to 1. I have attached a naive, inefficient
> patch for fixing these issues, but someone should really write a
> better fix.

i would first like to understand under what circumstances the current code
is causing a real problem (security or normal bug)


> 
> Also, a few other 'bugs' in the code:
[...]
> - it's not wrapped in the proper do { ... } while(0) construct to make
>   it behave as a single statement.

i wouldnt call that "bug" but rather feature, id like to keep the code
readable ...


[...]

> P.S. I was going to use the bug tracker but it seems to be
> misconfigured and unable to send me a confirmation mail... Also the

luca?


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Frequently ignored awnser#1 FFmpeg bugs should be sent to our bugtracker, user
questions for the command line tools ffmpeg, ffplay, ... as well as questions
about how to use libav* should be sent to the ffmpeg-user mailinglist.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071022/5b9c7c69/attachment.pgp>

More information about the ffmpeg-devel mailing list