[FFmpeg-devel] [PATCH] Fix a couple of errors with bad Vorbis headers
Michael Niedermayer
michaelni
Sat Jan 15 21:57:31 CET 2011
On Sat, Jan 15, 2011 at 09:29:49AM -0800, Frank Barchard wrote:
> On Sat, Jan 15, 2011 at 6:56 AM, Michael Niedermayer <michaelni at gmx.at>wrote:
>
> > On Mon, Jan 10, 2011 at 06:13:21PM -0800, Frank Barchard wrote:
> > > @@ -653,7 +661,7 @@ static int vorbis_parse_setup_hdr_residu
> > > res_setup->partition_size = get_bits(gb, 24) + 1;
> > > /* Validations to prevent a buffer overflow later. */
> > > if (res_setup->begin>res_setup->end ||
> > > - res_setup->end > vc->avccontext->channels * vc->blocksize[1]
> > / (res_setup->type == 2 ? 1 : 2) ||
> > > + res_setup->end > vc->avccontext->channels * vc->blocksize[1]
> > / 2 ||
> > > (res_setup->end-res_setup->begin) /
> > res_setup->partition_size > V_MAX_PARTITIONS) {
> > > av_log(vc->avccontext, AV_LOG_ERROR, "partition out of
> > bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32",
> > %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin,
> > res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
> > > return -1;
> >
> > this is a mystery to me
> > what does this fix?
> >
> > What i found when looking at the code is that ptns_to_read is uint_fast16_t
> > but values stored in there are tested against
> > #define V_MAX_PARTITIONS (1 << 20)
> > thats definitly not ok
> >
>
> Agreed. That looks like a bug.
> Change it to:?
> uint_fast32_t ptns_to_read = vr->ptns_to_read;
theres more code that looks like to might need to be updated similarly,
ideally this should be looked at by someone who is familiar with the code
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110115/85c373d7/attachment.pgp>
More information about the ffmpeg-devel
mailing list