[FFmpeg-devel] More ALS buffer overflows

Thilo Borgmann thilo.borgmann
Fri Feb 19 09:12:21 CET 2010

Am 19.02.10 03:33, schrieb M?ns Rullg?rd:
> Reimar D?ffinger <Reimar.Doeffinger at gmx.de> writes:
>> That patch is not at all a solution for this issue, at best it will hide it,
>> while leaving the possibly exploitable code in.
>> The issue here is that the following code snipped has either wrong or missing
>> boundary checks:
>>         current_res = bd->raw_samples + start;
>>         for (sb = 0; sb < sub_blocks; sb++, start = 0)
>>             for (; start < sb_length; start++)
>>                 *current_res++ = decode_rice(gb, s[sb]);
> The patch fixes a real bug regardless of range checks.

Bug removed in revision 21892.

About the missing boundary check, I will reconsider when looking at the
other allocation related check you've mentioned.



More information about the ffmpeg-devel mailing list