[FFmpeg-devel] [libav-devel] [PATCH] alsdec: validate time diff index

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Mon Apr 20 23:20:40 CEST 2015


On 19.04.2015 22:20, Luca Barbato wrote:
> On 18/04/15 18:58, Andreas Cadhalpun wrote:
>> If begin is smaller than t, the subtraction 'begin -= t' wraps around,
>> because begin is unsigned. The same applies for end < t.
>>
>> This causes segmentation faults.
> 
> Actually, the access to raw_buffer seems a bit optimistic all over this
> code.
> 
> I'd check that `master` is always between `raw_buffer` and the end of it.

You mean something like the attached patch?

> (I'm not sure if `div_blocks` is validated before, same for `offset`)

That should catch problems in those as well.

Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-alsdec-check-sample-pointer-range-in-revert_channel_.patch
Type: text/x-diff
Size: 1790 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150420/3aada282/attachment.bin>


More information about the ffmpeg-devel mailing list