[FFmpeg-devel] [PATCH] alsdec: validate time diff index
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sat Apr 18 20:13:30 CEST 2015
On 18.04.2015 20:05, Michael Niedermayer wrote:
> On Sat, Apr 18, 2015 at 06:58:30PM +0200, Andreas Cadhalpun wrote:
>> If begin is smaller than t, the subtraction 'begin -= t' wraps around,
>> because begin is unsigned. The same applies for end < t.
>>
>> This causes segmentation faults.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>> libavcodec/alsdec.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
>> index f85f1e8..ff6b6cf 100644
>> --- a/libavcodec/alsdec.c
>> +++ b/libavcodec/alsdec.c
>> @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
>>
>> if (ch[dep].time_diff_sign) {
>> t = -t;
>> + if (begin < t) {
>> + av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
>> + return AVERROR_INVALIDDATA;
>> + }
>
> begin is 1, t < 0 also the comparission is unsigned so t will overflow
> in it
Sorry, I sent the wrong version of the patch. Fixed one attached.
The t < 0 case is not problematic for the subtraction.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-alsdec-validate-time-diff-index.patch
Type: text/x-diff
Size: 1382 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150418/ce61e05b/attachment.bin>
More information about the ffmpeg-devel
mailing list