[FFmpeg-devel] [PATCH] fix for bfi buffer overread (roundup issue 2497)
Michael Niedermayer
michaelni
Thu Jan 6 22:38:20 CET 2011
On Thu, Jan 06, 2011 at 08:44:44AM -0500, Daniel Kang wrote:
> When the input resolution is too large, the bfi decoder overreads the
> data buffer. The patch attached adds a sanity check to prevent this.
> ffmpeg will still fail in decoding this with an assertion error (the
> video data itself is invalid with the sample), but it does not buffer
> overread.
>
> The roundup issue is 2497.
> bfi.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
> f75684d72bc0d5aa9b9e00887eb627ce31b2ac29 bfi_buffer_sanity_check.diff
> From 21d730f77e910810c1d3b2b69ce167d2da702be9 Mon Sep 17 00:00:00 2001
> From: Daniel Kang <daniel.d.kang at gmail.com>
> Date: Wed, 5 Jan 2011 23:46:33 -0500
> Subject: [PATCH] Sanity check on buffer reads
>
> ---
> libavcodec/bfi.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/libavcodec/bfi.c b/libavcodec/bfi.c
> index 91c8f6d..00631f0 100644
> --- a/libavcodec/bfi.c
> +++ b/libavcodec/bfi.c
> @@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx)
> static int bfi_decode_frame(AVCodecContext * avctx, void *data,
> int *data_size, AVPacket *avpkt)
> {
> - const uint8_t *buf = avpkt->data;
> + const uint8_t *buf = avpkt->data, *buf2 = avpkt->data;
> int buf_size = avpkt->size;
> BFIContext *bfi = avctx->priv_data;
> uint8_t *dst = bfi->dst;
> @@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
> unsigned int code = byte >> 6;
> unsigned int length = byte & ~0xC0;
>
> + if (buf-buf2 >= buf_size) {
> + av_log(NULL, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
^^^^
should be avctx, so the user knows from where the error message comes from.
also with buf_end= avpkt->data + buf_size
the check becomes buf >= buf_end which is a bit simpler and maybe slightly more
readable though thats nitpicking
also the following can still overread:
switch (code) {
case 0: //Normal Chain
bytestream_get_buffer(&buf, dst, length);
dst += length;
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Let us carefully observe those good qualities wherein our enemies excel us
and endeavor to excel them, by avoiding what is faulty, and imitating what
is excellent in them. -- Plutarch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110106/03a1d64d/attachment.pgp>
More information about the ffmpeg-devel
mailing list