[FFmpeg-devel] [PATCH 2/6] Check for out of bound reads in xan_huffman_decode() of the xan decoder.
Michael Niedermayer
michaelni at gmx.at
Thu Sep 29 23:03:07 CEST 2011
On Thu, Sep 29, 2011 at 08:38:53PM +0200, Laurent Aimar wrote:
> On Thu, Sep 29, 2011 at 02:18:18AM +0200, Reimar Döffinger wrote:
> >
> >
> > On 29 Sep 2011, at 01:04, fenrir at elivagar.org wrote:
> >
> > > From: Laurent Aimar <fenrir at videolan.org>
> > >
> > > ---
> > > libavcodec/xan.c | 5 ++++-
> > > 1 files changed, 4 insertions(+), 1 deletions(-)
> > >
> > > diff --git a/libavcodec/xan.c b/libavcodec/xan.c
> > > index 51b4b95..3359102 100644
> > > --- a/libavcodec/xan.c
> > > +++ b/libavcodec/xan.c
> > > @@ -114,7 +114,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
> > > init_get_bits(&gb, ptr, ptr_len * 8);
> > >
> > > while ( val != 0x16 ) {
> > > - val = src[val - 0x17 + get_bits1(&gb) * byte];
> > > + int idx = val - 0x17 + get_bits1(&gb) * byte;
> > > + if (idx < 0 || idx >= 2 * byte)
> > > + return -1;
> >
> > Using unsigned will need one check less.
> Patch attached.
>
> > However I don't know if the condition is actually correct.
> I have looked at http://wiki.multimedia.cx/index.php?title=Wing_Commander_III_MVE_Video_Codec
> and the section parsed by xan_huffman_decode() is described as follow:
>
> byte 0 number of values in the Huffman tree (should be 22)
> bytes 1..44 Huffman tree table
> bytes 45.. Huffman-coded data.
>
> So I think it's the right test.
>
> --
> fenrir
> xan.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
> 79c4c35684d82682fc9e37c85e14d8c98d299f68 0002-Check-for-out-of-bound-reads-in-xan_huffman_decode-o.patch
> From 57f71c76f0127fa2f3d54dac5a5d69e6e8c2706b Mon Sep 17 00:00:00 2001
> From: Laurent Aimar <fenrir at videolan.org>
> Date: Wed, 28 Sep 2011 00:45:54 +0200
> Subject: [PATCH 2/2] Check for out of bound reads in xan_huffman_decode() of the xan decoder.
applied, thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110929/fe6a4a34/attachment.asc>
More information about the ffmpeg-devel
mailing list