[FFmpeg-devel] [PATCH] rmdec.c: correctly skip indexes

Ronald S. Bultje rsbultje
Tue Dec 30 22:14:34 CET 2008


Hi,

On Tue, Dec 30, 2008 at 3:09 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
> besides even if len is unsigned, i dont see how that would stop the
> out of array write

That's a good point, but I think that was exploitable before also (or
maybe I misunderstand?), just INTMAX16 instead of INTMAX32. What I'm
unsure about is why the code is the way it is anyway. If remaining_len
is anything <0, we screwed up, if it is >0, then len will be set to it
and it should reset to zero. In any other case (i.e. it is zero), it
should remain untouched. So why not just always set it to 0? See
attached. (If anyone knows of videos that use this, I'd love to test
it. :-).)

Ronald
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: signature.asc
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20081230/d149c764/attachment.asc>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rmdec-prevent-remaining_len-overflow.patch
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20081230/d149c764/attachment-0001.asc>



More information about the ffmpeg-devel mailing list