[FFmpeg-devel] [PATCH] oops I broke rdt.c
Michael Niedermayer
michaelni
Wed Dec 17 18:51:06 CET 2008
On Wed, Dec 17, 2008 at 12:24:43PM -0500, Ronald S. Bultje wrote:
> Hi,
>
> On Wed, Dec 17, 2008 at 12:04 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> > this sounds fragile.
> > st->id is 2 different things in one file (rmdec.c)
>
> No it isn't (?). In rdt.c, it's one, in rmdec.c, it's the other.
>
> I think you're confused because a subset of the code in rmdec.c can be
> called from within rdt.c.
change that subset and you have an exploitable bug
> However, that is not the code that uses
> st->id (just do a quick grep, you'll see that use of the value in
> st->id is restricted to sync(), that's also true for
> rm->current_stream (which can take the value of st->id). So, st->id in
> rmdec.c is only used within sync(), which is and will never be used
> for RTSP. sync() syncs on the RM packet header, which preceedes the RM
> packet data. In RDT, a RDT/RTSP packet header preceedes the RM packet
> data instead, there is no RM packet header.
>
> For RM streams, st->id is the RM packet header ID of each stream.
that part makes sense, the "id" is the id ...
>
> For RDT/RTSP streams, st->id is the index of the stream within the set
> of identical content streams.
that is a misuse of the variable IMHO
>
> The two are exclusive, they both precede RM packet data parsing, but
> for different kind of streams that both happen to encapsulate RM
> packet data.
>
> Again, I don't mind getting rid of st->id, but I want to make it clear
> that this part of the code is theoretically and practically not
> exploitable. If you want I can take the shared code out of rmdec.c
> into a new file so that a grep for st->id in that new file is
> negative, but that seems kind of overkill to me.
>
> (I guess I'll just remove use of st->id in rdt.c to make you happy. :-).)
yes, this in indeed will make me happy
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20081217/ffdbb419/attachment.pgp>
More information about the ffmpeg-devel
mailing list