[FFmpeg-devel] H263 decoding crash, [BUG] : reading memory past the end of the buffer.
Baptiste Coudurier
baptiste.coudurier
Fri Jun 5 05:09:21 CEST 2009
Hi,
On 6/4/2009 7:49 PM, Pavel Pavlov wrote:
> [...]
>
> I was able to get more info
>
> show_bits (h263.c:4190) is called with GetBitsContext that contains
> these values:
> buffer : 0x017dbf4c (25018188)
> buffer_end : 0x017dcffd (25022461)
> index : 34184
> size_in_bits : 34184
>
> And the exceptions I get is:
> Unhandled exception at 0x10180e06 (avcodec-52.dll) in EC-09.exe:
> 0xC0000005: Access violation reading location 0x017dd000.
>
> Location 0x017dd000 (25022464) is just 3 bytes outside of
> passed GetBitsContext.buffer_end
>
> The place of crash has this asm code:
> int v= show_bits(&s->gb, 16);
> 10180DF5 mov ebx,dword ptr [esp+0B4h]
> 10180DFC mov edx,dword ptr [ebx+8]
> 10180DFF mov eax,dword ptr [ebx]
> 10180E01 mov edi,edx
> 10180E03 sar edi,3
> 10180E06 mov eax,dword ptr [edi+eax]
> 10180E09 bswap eax
> 10180E0B mov ecx,edx
> 10180E0D and ecx,7
> 10180E10 shl eax,cl
> 10180E12 shr eax,0F0h
>
> And the crash is at 10180e06
>
>
>
> The values passed to the show_bits as buffer and buffer_end is the
> pointer
> to the h263 video data that I pass to the decoder:
> avcodec_decode_video(m_pContext, m_pFrame, &nResult, (uint8_t*)pData,
> nSize);
> where pData is 0x017dbf4c and nSize is 4273 (which is 34184/8)
>
> At the point of crash EDI is 000010B1 and eax is : 017DBF4C which means
> that edi cotnains 4273 and eax is the passed buffer, so on line 10180E06
>
> it tries to read past the buffer.
Check that the buffer is correctly allocated with
FF_INPUT_BUFFER_PADDING_SIZE which is needed when get_bits is used.
[...]
--
Baptiste COUDURIER GnuPG Key Id: 0x5C1ABAAA
Key fingerprint 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
FFmpeg maintainer http://www.ffmpeg.org
More information about the ffmpeg-devel
mailing list