[FFmpeg-devel] [PATCH 2/4] Implement ocv_dilate libopencv filter wrapper.

Stefano Sabatini stefano.sabatini-lala
Sun Nov 21 23:05:42 CET 2010


On date Monday 2010-11-15 15:34:28 +0100, Stefano Sabatini encoded:
> On date Friday 2010-11-12 23:10:08 +0100, Michael Niedermayer encoded:
[...]
> > > +    buf = av_malloc(size + 1);
> > > +    if (!buf) {
> > > +        fclose(file);
> > > +        return AVERROR(ENOMEM);
> > > +    }
> > > +    fread(buf, 1, size, file);
> > 
> > this looks exploitable or will at least crash
> 
> I don't know what you're talking about. Note that this is the same
> code as cmdutils.c:read_file.
> 
> > > +    buf[size++] = 0;
> > > +    fclose(file);
> > > +
> > > +    /* prescan file to get the number of lines and the maximum width */
> > > +    w = 0;
> > > +    for (i = 0; i < size; i++) {
> > > +        if (buf[i] == '\n') {
> > > +            if (++(*rows) <= 0) {
> > > +                av_log(log_ctx, AV_LOG_ERROR, "Overflow on the number of rows in the file\n");
> > > +                return AVERROR(EINVAL);
> > > +            }
> > > +            *cols = FFMAX(*cols, w);
> > > +            w = 0;
> > > +        } else if (++w <= 0) {
> > > +            av_log(log_ctx, AV_LOG_ERROR, "Overflow on the number of columns in the file\n");
> > > +            return AVERROR(EINVAL);
> > > +        }
> > 
> > these tests are useless signed overflow is undefined, any good compiler should
> > remove these tests and you still get the overflow and whatever happens without
> > them triggering
> 
> Is:
>             if (*rows == INT_MAX) {
>                 av_log(log_ctx, AV_LOG_ERROR, "Overflow on the number of rows in the file\n");
>                 return AVERROR(EINVAL);
>             }
>             ++(*rows);
> OK?
> 
> [...]
> > > +    if (*rows > sizeof(int) * INT_MAX / *cols) {
> > 
> > 4*INT_MAX
> > is this a joke?
> 
> changed to something saner:
>     if (*rows > (INT_MAX / (sizeof(int)) / *cols)) {
>         av_log(log_ctx, AV_LOG_ERROR, "File with size %dx%d is too big\n",
>                *rows, *cols);
>         return AVERROR_INVALIDDATA;
>     }
>     if (!(*values = av_mallocz(sizeof(int) * *rows * *cols)))
>         ...
[...]

Ping.
-- 
FFmpeg = Faithless Frightening MultiPurpose Encoding/decoding Geisha



More information about the ffmpeg-devel mailing list