[FFmpeg-devel] More ALS buffer overflows
Thilo Borgmann
thilo.borgmann
Fri Feb 19 09:12:21 CET 2010
Am 19.02.10 03:33, schrieb M?ns Rullg?rd:
> Reimar D?ffinger <Reimar.Doeffinger at gmx.de> writes:
>
>> That patch is not at all a solution for this issue, at best it will hide it,
>> while leaving the possibly exploitable code in.
>> The issue here is that the following code snipped has either wrong or missing
>> boundary checks:
>> current_res = bd->raw_samples + start;
>>
>> for (sb = 0; sb < sub_blocks; sb++, start = 0)
>> for (; start < sb_length; start++)
>> *current_res++ = decode_rice(gb, s[sb]);
>
> The patch fixes a real bug regardless of range checks.
Bug removed in revision 21892.
About the missing boundary check, I will reconsider when looking at the
other allocation related check you've mentioned.
Thanks!
-Thilo
More information about the ffmpeg-devel
mailing list