[FFmpeg-devel] [PATCH] cook: avoid out of global array read.
Michael Niedermayer
michaelni at gmx.at
Tue Feb 28 21:09:05 CET 2012
On Tue, Feb 28, 2012 at 08:41:43PM +0100, Reimar Döffinger wrote:
> On Tue, Feb 28, 2012 at 08:10:21PM +0100, Michael Niedermayer wrote:
> > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> > Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> > ---
> > libavcodec/cook.c | 41 +++++++++++++++++++++++++++++------------
> > 1 files changed, 29 insertions(+), 12 deletions(-)
> >
> > diff --git a/libavcodec/cook.c b/libavcodec/cook.c
> > index 08b51d8..920f527 100644
> > --- a/libavcodec/cook.c
> > +++ b/libavcodec/cook.c
> > @@ -366,7 +366,7 @@ static void decode_gain_info(GetBitContext *gb, int *gaininfo)
> > * @param q pointer to the COOKContext
> > * @param quant_index_table pointer to the array
> > */
> > -static void decode_envelope(COOKContext *q, COOKSubpacket *p,
> > +static int decode_envelope(COOKContext *q, COOKSubpacket *p,
> > int *quant_index_table)
> > {
> > int i, j, vlc_index;
> > @@ -388,7 +388,14 @@ static void decode_envelope(COOKContext *q, COOKSubpacket *p,
> > j = get_vlc2(&q->gb, q->envelope_quant_index[vlc_index - 1].table,
> > q->envelope_quant_index[vlc_index - 1].bits, 2);
> > quant_index_table[i] = quant_index_table[i - 1] + j - 12; // differential encoding
> > +
> > + if (quant_index_table[i] < -63 || quant_index_table[i] > 64) {
> > + av_log_ask_for_sample(NULL, "quant_index_table value out of bounds\n");
> > + return AVERROR_PATCHWELCOME;
>
> Is there a reason to believe this indicates an unimplemented feature
> and not a broken file?
i have no way to know if such quant_index_table values are allowed
or not. Thats also why i sent a patch, i hope someone like ben could
comment
> If yes, that should be documented.
> If not, I think this should return AVERROR_INVALIDDATA.
Ive just used what other checks in the file like on subband number
return. Changing it for one case would make that inconsistent
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120228/6310fb85/attachment.asc>
More information about the ffmpeg-devel
mailing list