[FFmpeg-devel] [PATCH] fix for bfi buffer overread (roundup issue 2497)
Michael Niedermayer
michaelni
Thu Jan 6 23:49:17 CET 2011
On Thu, Jan 06, 2011 at 05:05:12PM -0500, Daniel Kang wrote:
> On Thu, Jan 6, 2011 at 4:38 PM, Michael Niedermayer <michaelni at gmx.at>wrote:
>
> > > bfi.c | 7 ++++++-
> > > 1 file changed, 6 insertions(+), 1 deletion(-)
> > > f75684d72bc0d5aa9b9e00887eb627ce31b2ac29 bfi_buffer_sanity_check.diff
> > > From 21d730f77e910810c1d3b2b69ce167d2da702be9 Mon Sep 17 00:00:00 2001
> > > From: Daniel Kang <daniel.d.kang at gmail.com>
> > > Date: Wed, 5 Jan 2011 23:46:33 -0500
> > > Subject: [PATCH] Sanity check on buffer reads
> > >
> > > ---
> > > libavcodec/bfi.c | 7 ++++++-
> > > 1 files changed, 6 insertions(+), 1 deletions(-)
> > >
> > > diff --git a/libavcodec/bfi.c b/libavcodec/bfi.c
> > > index 91c8f6d..00631f0 100644
> > > --- a/libavcodec/bfi.c
> > > +++ b/libavcodec/bfi.c
> > > @@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext *
> > avctx)
> > > static int bfi_decode_frame(AVCodecContext * avctx, void *data,
> > > int *data_size, AVPacket *avpkt)
> > > {
> > > - const uint8_t *buf = avpkt->data;
> > > + const uint8_t *buf = avpkt->data, *buf2 = avpkt->data;
> > > int buf_size = avpkt->size;
> > > BFIContext *bfi = avctx->priv_data;
> > > uint8_t *dst = bfi->dst;
> > > @@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx,
> > void *data,
> > > unsigned int code = byte >> 6;
> > > unsigned int length = byte & ~0xC0;
> > >
> > > + if (buf-buf2 >= buf_size) {
> > > + av_log(NULL, AV_LOG_ERROR, "Input resolution larger than
> > actual frame.\n");
> > ^^^^
> > should be avctx, so the user knows from where the error message comes from.
> >
> > also with buf_end= avpkt->data + buf_size
> > the check becomes buf >= buf_end which is a bit simpler and maybe slightly
> > more
> > readable though thats nitpicking
> >
> > also the following can still overread:
> > switch (code) {
> >
> > case 0: //Normal Chain
> > bytestream_get_buffer(&buf, dst, length);
> > dst += length;
> >
>
> I have updated the patch to use buf_end and include a second check.
> bfi.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
> e49f9bcda43631706025ad413421f05e5ecd2c99 bfi_buffer_sanity_check.diff
> From dd3ed1e69b99d479948593c795ecef05dd419ede Mon Sep 17 00:00:00 2001
> From: Daniel Kang <daniel.d.kang at gmail.com>
> Date: Wed, 5 Jan 2011 23:46:33 -0500
> Subject: [PATCH] Sanity check on buffer reads
>
> ---
> libavcodec/bfi.c | 11 ++++++++++-
> 1 files changed, 10 insertions(+), 1 deletions(-)
>
> diff --git a/libavcodec/bfi.c b/libavcodec/bfi.c
> index 91c8f6d..13dd712 100644
> --- a/libavcodec/bfi.c
> +++ b/libavcodec/bfi.c
> @@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx)
> static int bfi_decode_frame(AVCodecContext * avctx, void *data,
> int *data_size, AVPacket *avpkt)
> {
> - const uint8_t *buf = avpkt->data;
> + const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
> int buf_size = avpkt->size;
> BFIContext *bfi = avctx->priv_data;
> uint8_t *dst = bfi->dst;
> @@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
> unsigned int code = byte >> 6;
> unsigned int length = byte & ~0xC0;
>
> + if (buf >= buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
> + return -1;
> + }
> +
> /* Get length and offset(if required) */
> if (length == 0) {
> if (code == 1) {
> @@ -121,6 +126,10 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
> switch (code) {
>
> case 0: //Normal Chain
> + if (buf + length >= buf_end) {
This has a very small chance that buf + length overflows, that is if buf is
close to 0xFFFFFFFF on a 32bit system or 0xFFFFFFFFFFFFFFFF on 64bit then
buf + length can be smaller than buf and thus also smaller than buf_end
This is unlikely in practice but its easy to avoid this problem by using
if(length >= buf_end - buf)
as a rule of thumb, the variable to be checked for validity should be
alone on one side of the </>/<=/>= to avoid this kind of problem
The same issue exists with code like
if(something * sizeof(some struct) > foo)
vs.
if(something > foo / sizeof(some struct))
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110106/e25c645d/attachment.pgp>
More information about the ffmpeg-devel
mailing list