[FFmpeg-devel] [PATCH] buffer read sanity check (issue 2503)
Michael Niedermayer
michaelni
Fri Jan 7 16:07:51 CET 2011
On Fri, Jan 07, 2011 at 10:02:25AM -0500, Daniel Kang wrote:
> On Fri, Jan 7, 2011 at 9:46 AM, Michael Niedermayer <michaelni at gmx.at>wrote:
>
> > On Thu, Jan 06, 2011 at 11:51:58PM -0500, Daniel Kang wrote:
> > > ffmpeg does not check for buffer overreading in the dpx decoder. For
> > > invalid headers, the target_packet_size or width could be too large. The
> > > patch attached adds a sanity check.
> >
> > > dpx.c | 9 +++++++++
> > > 1 file changed, 9 insertions(+)
> > > e3c6cd5042d736935c2c5a730c93ee96f108b988 dpx_buffer_sanity_check.diff
> > > From ae6ec1ce796735a666afb6b911c8c9e594b1eb8a Mon Sep 17 00:00:00 2001
> > > From: Daniel Kang <daniel.d.kang at gmail.com>
> > > Date: Thu, 6 Jan 2011 23:34:05 -0500
> > > Subject: [PATCH] dpx buffer overread sanity check
> > >
> > > ---
> > > libavcodec/dpx.c | 9 +++++++++
> > > 1 files changed, 9 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
> > > index f92b3d0..588ec6c 100644
> > > --- a/libavcodec/dpx.c
> > > +++ b/libavcodec/dpx.c
> > > @@ -55,6 +55,7 @@ static int decode_frame(AVCodecContext *avctx,
> > > AVPacket *avpkt)
> > > {
> > > const uint8_t *buf = avpkt->data;
> > > + const uint8_t *buf_end = avpkt->data + avpkt->size;
> > > int buf_size = avpkt->size;
> > > DPXContext *const s = avctx->priv_data;
> > > AVFrame *picture = data;
> > > @@ -174,6 +175,10 @@ static int decode_frame(AVCodecContext *avctx,
> > > case 16:
> > > if (source_packet_size == target_packet_size) {
> > > for (x = 0; x < avctx->height; x++) {
> > > + if (buf + target_packet_size*avctx->width > buf_end)
> > {
> > > + av_log(avctx, AV_LOG_ERROR, "Overread buffer.
> > Invalid header?\n");
> > > + return -1;
> > > + }
> > > memcpy(ptr, buf, target_packet_size*avctx->width);
> > > ptr += stride;
> > > buf += source_packet_size*avctx->width;
> > > @@ -182,6 +187,10 @@ static int decode_frame(AVCodecContext *avctx,
> > > for (x = 0; x < avctx->height; x++) {
> > > uint8_t *dst = ptr;
> > > for (y = 0; y < avctx->width; y++) {
> > > + if (buf + target_packet_size > buf_end) {
> > > + av_log(avctx, AV_LOG_ERROR, "Overread
> > buffer. Invalid header?\n");
> > > + return -1;
> > > + }
> >
> > something like
> >
> > if(source_packet_size * avctx->width > buf_end - buf)
> > at a single spot should be able to catch all i think
>
>
> It would be possible to move the check outside the loop, but I am not
> sure if target_packet_size*avctx->width*avctx->height would overflow or
> not. Should I check for this instead?
i think it cant overflow, and i think its source not target
source is whats added to buf and we check against buf
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
There will always be a question for which you do not know the correct awnser.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110107/f43d5e52/attachment.pgp>
More information about the ffmpeg-devel
mailing list