[FFmpeg-devel] ADPCM task (was Re: files in incoming)
Michael Niedermayer
michaelni
Thu Jan 29 23:42:13 CET 2009
On Thu, Jan 29, 2009 at 10:03:29PM +0100, Reimar D?ffinger wrote:
> On Thu, Jan 29, 2009 at 08:40:53PM +0100, Stefan Gehrer wrote:
> > Index: libavcodec/adpcm.c
> > ===================================================================
> > --- libavcodec/adpcm.c (revision 16828)
> > +++ libavcodec/adpcm.c (working copy)
> > @@ -1300,9 +1300,10 @@
> > }
> >
> > for (channel=0; channel<avctx->channels; channel++) {
> > - srcC = src + (big_endian ? bytestream_get_be32(&src)
> > - : bytestream_get_le32(&src))
> > - + (avctx->channels-channel-1) * 4;
> > + uint32_t offset = (big_endian ? bytestream_get_be32(&src)
> > + : bytestream_get_le32(&src));
> > +
> > + srcC = src + offset + (avctx->channels-channel-1) * 4;
>
> He, that is obviously true. The code does have another issue though,
> it never checks for the end of src, so there may be overreads which show
> up in valgrind.
> I hacked together a patch for it but don't have the motivation to clean
> it up...
[...]
> @@ -1303,6 +1304,7 @@
> srcC = src + (big_endian ? bytestream_get_be32(&src)
> : bytestream_get_le32(&src))
> + (avctx->channels-channel-1) * 4;
> + if (srcC > src_end - 4) break;
this is not enough
the code above allows srcC to be set to any value on 32bit archs
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If a bugfix only changes things apparently unrelated to the bug with no
further explanation, that is a good sign that the bugfix is wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090129/f73f41df/attachment.pgp>
More information about the ffmpeg-devel
mailing list