[FFmpeg-devel] patch for mpegaudiodec.c to prevent buffer read-access overflow

Francois Oligny-Lemieux eucloid
Thu Mar 12 18:32:50 CET 2009


On Wed, Mar 11, 2009 at 8:30 PM, Michael Niedermayer <michaelni at gmx.at>wrote:

> On Wed, Mar 11, 2009 at 01:35:31PM -0500, Francois Oligny-Lemieux wrote:
> > Hi,
> > I identified a place in mpegaudiodec.c where a crash could (and in my
> case
> > was) happening from time to time. The crash will happen when the audio
> > header is corrupted. The original code was doing buf++ while searching
> for
> > the header without any consideration for the buffer end causing an
> overflow
> > and eventually a read-access violation. Also after a successful resync,
> the
> > code was not adjusting the buffer_size.
> >
> > I attached a patch containing the fix I'm using for this problem, but
> feel
> > free to make your own changes to it.
> >
> > Francois
>
> > Index: mpegaudiodec.c
> > ===================================================================
> > --- mpegaudiodec.c    (revision 17942)
> > +++ mpegaudiodec.c    (working copy)
> > @@ -2264,6 +2264,7 @@
> >      uint32_t header;
> >      int out_size;
> >      OUT_INT *out_samples = data;
> > +    uint8_t * buf_end = buf + buf_size;
> >
> >  retry:
> >      if(buf_size < HEADER_SIZE)
> > @@ -2274,8 +2275,12 @@
> >          buf++;
> >  //        buf_size--;
> >          av_log(avctx, AV_LOG_ERROR, "Header missing skipping one
> byte.\n");
> > +        if ( buf + 3 > buf_end ){
> > +            return -1; // will overflow
> > +        }
> >          goto retry;
> >      }
> > +    buf_size = buf_end - buf;
>
> considering that there is a check after retry and you dont fix the existing
> check but rather add a second messy check
> rejected


I see what you mean... then I suggest just restoring the buf_size--. I don't
know why it was left commented-out in the first place?

Francois
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mpegaudiodec.c.12mar2009.diff
Type: application/octet-stream
Size: 421 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090312/da412b1e/attachment.obj>



More information about the ffmpeg-devel mailing list