[FFmpeg-devel] [PATCH][RFC] variable frame sizes
Michael Niedermayer
michaelni
Mon Jun 8 12:33:40 CEST 2009
On Sat, Jun 06, 2009 at 03:32:23PM -0700, Eric Buehl wrote:
> > The code must not be exploitable.
> > That is it must not be possible to execute arbitrary code by any
> > intentionally created sequence of bytes.
> > -> under no circumstances may a write happen to a address that is outside
> > the intended array
> >
> > overflows in variables related to picture dimensions are likely not safe
> > nor is randomly changing the output w/h
>
>
>
> I believe the code in question is these section of lines:
>
> > + /* keep bands proportional to the frame size */
> > + ost->topBand = MAKE_EVEN(ist->st->codec->height *
> ost->original_topBand / ost->original_height);
> > + ost->bottomBand = MAKE_EVEN(ist->st->codec->height *
> ost->original_bottomBand / ost->original_height);
> > + ost->leftBand = MAKE_EVEN(ist->st->codec->width *
> ost->original_leftBand / ost->original_width);
> > + ost->rightBand = MAKE_EVEN(ist->st->codec->width *
> ost->original_rightBand / ost->original_width);
>
> The relation of original_*band and original_[width,height] is constrained by
> the appropriate opt_frame_crop_* function such that frame_*Band < 0 and
> (frame_*Band) >= frame_width. If these constraints hold, I don't see how
> the result could ever not fit within 32 bits (assuming
> ist->st->codec->[height,width] is always a 32 bit int).
>
> However, if one of these preconditions were to be changed, yes, it could
> overflow. As a sanity check, perhaps it should error out if this was
> detected so as not to introduce a seemingly random change in output
> height/width?
yes, it seems you are correct
> Something like assert(result <= INT_MAX && result > 0) before
> the 64->32 cast?
yes
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090608/f8ce5b1d/attachment.pgp>
More information about the ffmpeg-devel
mailing list