[FFmpeg-devel] [PATCH][RFC] nsv seeking

Jai Menon jmenon86
Wed Apr 22 18:37:12 CEST 2009 

On Wed, Apr 22, 2009 at 10:03 PM, Jai Menon <jmenon86 at gmail.com> wrote:
> On Wed, Apr 22, 2009 at 7:03 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
>> On Wed, Apr 22, 2009 at 12:27:20PM +0530, Jai Menon wrote:
>>> On Wed, Apr 22, 2009 at 5:10 AM, Michael Niedermayer <michaelni at gmx.at> wrote:
>>> > On Tue, Apr 21, 2009 at 09:43:16PM +0530, Jai Menon wrote:
>>> >> On Mon, Apr 20, 2009 at 11:48 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
>>> >> > On Mon, Apr 20, 2009 at 08:03:40PM +0530, Jai Menon wrote:
>>> >> >> On Mon, Apr 20, 2009 at 6:24 PM, Michael Niedermayer <michaelni at gmx.at> wrote:
>>> >> >> > On Sun, Apr 19, 2009 at 04:46:48PM +0530, Jai Menon wrote:
>>> >> >> >> On 4/18/09, Fran?ois Revol <revol at free.fr> wrote:
>>> >> >> > [...]
>>> >> >> >> @@ -348,12 +349,22 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
>>> >> >> >> ? ? ?PRINT(("NSV got infos; filepos %"PRId64"\n", url_ftell(pb)));
>>> >> >> >>
>>> >> >> >> ? ? ?if (table_entries_used > 0) {
>>> >> >> >> + ? ? ? ?int i;
>>> >> >> >> ? ? ? ? ?nsv->index_entries = table_entries_used;
>>> >> >> >> ? ? ? ? ?if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
>>> >> >> >> ? ? ? ? ? ? ?return -1;
>> [...]
>>> >> >> >> + ? ? ? ?nsv->nsvs_file_offset = av_malloc((unsigned)table_entries_used * sizeof(uint32_t));
>>> >> >> >> +
>>> >> >> >> + ? ? ? ?for(i=0;i<table_entries_used;i++)
>>> >> >> >> + ? ? ? ? ? ?nsv->nsvs_file_offset[i] = get_le32(pb) + size;
>>
>>
>>
>>> >> >> >
>>> >> >> > exploitable
>>> >> >>
>>> >> >> I can't think of any feasible attack vector here. Could you be a little verbose.
>>> >> >
>>> >> > table_entries_used * 4 overflows
>>> >>
>>> >> So you want the file offset table entries to be 64 bit?
>>> >
>>> > no i want you to make sure you allocate a table that is capable to
>>> > hold the number of entries you write into it
>>>
>>> Sorry, I don't quite understand. There are table_entries_used no.of
>>> entries in the file offset table. And I'm writing exactly those amount
>>> to the buffer.
>>
>> example:
>> table_entries_used= 0x4FFFFFFF
>>
>> table_entries_used * sizeof(uint32_t) = 0x4FFFFFFF * 4 = 0x3FFFFFFC
>>
>> nsv->nsvs_file_offset= av_malloc(0x3FFFFFFC)
>>
>> for(i=0; i<0x4FFFFFFF; i++)
>> ? ?write 4 bytes to nsv->nsvs_file_offset[i]
>
> Thanks for the example. Is attached patch better?

Forgot to roll last change in.
Patch attached.

-- 
Regards,

Jai
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-add-toc2-parsing-and-seeking-support-to-the-nsv-demu.patch
Type: text/x-patch
Size: 4247 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090422/35245477/attachment.bin>

More information about the ffmpeg-devel mailing list