[FFmpeg-devel] [PATCH] apedec: ensure blockstodecode is large enough
michaelni at gmx.at
Tue Apr 28 12:52:43 CEST 2015
On Tue, Apr 28, 2015 at 11:22:22AM +0200, Andreas Cadhalpun wrote:
> On 28.04.2015 03:18, Michael Niedermayer wrote:
> > On Mon, Apr 27, 2015 at 11:56:15PM +0200, Andreas Cadhalpun wrote:
> >> s->decoded_buffer is allocated with a min_size of:
> >> 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
> >> Then it is assigned to s->decoded, which is passed as out buffer to
> >> decode_array_0000.
> >> In this function 64 elements of the out buffer are written
> >> unconditionally and outside the array if blocksdecode is too small.
> >> This causes memory corruption, leading to segmentation faults or other crashes.
> >> Thus check that FFALIGN(blockstodecode, 8) is at least 32, i. e. the
> >> decoded_buffer has at least 64 components.
> > the stereo case would need a check against 64 i think
> > also if this is specifific to decode_array_0000(), then the others
> > should not fail with a short array
> > or decode_array_0000() could be made to just write less or error
> > out
> decode_array_0000 is void so error out would require more changes,
> but just writing less seems like a better fix anyway. New patch attached.
> Best regards,
> apedec.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> 4f13e8d3f04b128cb0e8b4c0f703ecc56eaedd46 0001-apedec-prevent-out-of-array-writes-in-decode_array_0.patch
> From 969592cc6c04571afa0d8b32be31caf78ca52517 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> Date: Tue, 28 Apr 2015 11:13:43 +0200
> Subject: [PATCH] apedec: prevent out of array writes in decode_array_0000
> s->decoded_buffer is allocated with a min_size of:
> 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
> Then it is assigned to s->decoded (and s->decoded_buffer + FFALIGN(blockstodecode, 8)
> to s->decoded) and passed as out buffer to decode_array_0000.
> In this function 64 elements of the out buffer are written
> unconditionally and outside the array if blockstodecode is too small.
> This causes memory corruption, leading to segmentation faults or other
> Thus change decode_array_0000 to write at most blockstodecode elements
> of the out buffer.
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 181 bytes
Desc: Digital signature
More information about the ffmpeg-devel