[FFmpeg-devel] [PATCH] ogg: Fix OOB write during ogg_read_seek()

Dale Curtis dalecurtis at chromium.org
Tue Apr 17 19:32:40 CEST 2012


On Tue, Apr 17, 2012 at 5:28 AM, Michael Niedermayer <michaelni at gmx.at>wrote:

> On Tue, Apr 17, 2012 at 08:52:57AM +0200, Reimar Döffinger wrote:
> > On 16 Apr 2012, at 22:57, dalecurtis at chromium.org wrote:
> > > From: Dale Curtis <dalecurtis at chromium.org>
> > >
> > > Prevents an OOB write of size 4 when ogg_read_seek is called with
> > > a stream_index >= ogg->nstreams.
> > >
> > > In this case s->nb_streams == 3, yet ogg->nstreams == 1 and
> > > stream_index == 1; causing os->keyframe_seek = 1 to write OOB.
> >
> > I think something must have gone seriously wrong at the point where
> those stream counts started to differ and you are just covering up for the
> real bug...
>
> yes, i think ive found it.
> Fix commited (as i think its better to fix this ASAP, its easy to
> improve later in case a better solution is suggested)
>
> Ill also add some av_assert0() just to be sure
> and i think the error pathes should be reviewed against being able to
> cause inconsistencies in the stream numbers
>
>
Thanks for the fix Michael! I've verified your solution against ASAN.

- dale


More information about the ffmpeg-devel mailing list