[FFmpeg-devel] [PATCH] ogg: Fix OOB write during ogg_read_seek()

Michael Niedermayer michaelni at gmx.at
Tue Apr 17 14:28:54 CEST 2012


On Tue, Apr 17, 2012 at 08:52:57AM +0200, Reimar Döffinger wrote:
> On 16 Apr 2012, at 22:57, dalecurtis at chromium.org wrote:
> > From: Dale Curtis <dalecurtis at chromium.org>
> > 
> > Prevents an OOB write of size 4 when ogg_read_seek is called with
> > a stream_index >= ogg->nstreams.
> > 
> > In this case s->nb_streams == 3, yet ogg->nstreams == 1 and
> > stream_index == 1; causing os->keyframe_seek = 1 to write OOB.
> 
> I think something must have gone seriously wrong at the point where those stream counts started to differ and you are just covering up for the real bug...

yes, i think ive found it.
Fix commited (as i think its better to fix this ASAP, its easy to
improve later in case a better solution is suggested)

Ill also add some av_assert0() just to be sure
and i think the error pathes should be reviewed against being able to
cause inconsistencies in the stream numbers

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The educated differ from the uneducated as much as the living from the
dead. -- Aristotle 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120417/8b6ff186/attachment.asc>


More information about the ffmpeg-devel mailing list