[FFmpeg-devel] [PATCH] Fix a couple of errors with bad Vorbis headers
Frank Barchard
fbarchard
Sat Jan 15 18:29:49 CET 2011
On Sat, Jan 15, 2011 at 6:56 AM, Michael Niedermayer <michaelni at gmx.at>wrote:
> On Mon, Jan 10, 2011 at 06:13:21PM -0800, Frank Barchard wrote:
> > @@ -653,7 +661,7 @@ static int vorbis_parse_setup_hdr_residu
> > res_setup->partition_size = get_bits(gb, 24) + 1;
> > /* Validations to prevent a buffer overflow later. */
> > if (res_setup->begin>res_setup->end ||
> > - res_setup->end > vc->avccontext->channels * vc->blocksize[1]
> / (res_setup->type == 2 ? 1 : 2) ||
> > + res_setup->end > vc->avccontext->channels * vc->blocksize[1]
> / 2 ||
> > (res_setup->end-res_setup->begin) /
> res_setup->partition_size > V_MAX_PARTITIONS) {
> > av_log(vc->avccontext, AV_LOG_ERROR, "partition out of
> bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32",
> %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin,
> res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
> > return -1;
>
> this is a mystery to me
> what does this fix?
>
> What i found when looking at the code is that ptns_to_read is uint_fast16_t
> but values stored in there are tested against
> #define V_MAX_PARTITIONS (1 << 20)
> thats definitly not ok
>
Agreed. That looks like a bug.
Change it to:?
uint_fast32_t ptns_to_read = vr->ptns_to_read;
More information about the ffmpeg-devel
mailing list