[FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header
Michael Niedermayer
michaelni at gmx.at
Tue Apr 28 23:22:40 CEST 2015
On Tue, Apr 28, 2015 at 10:39:40PM +0200, Andreas Cadhalpun wrote:
> On 28.04.2015 22:21, Michael Niedermayer wrote:
> > On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote:
> >> The existing check has two problems:
> >> 1) i + count can overflow, so that the check '< 256' returns true.
> >> 2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
> >>
> >> This can trigger the assertion 'nut->header_len[0] == 0' or cause
> >> segmentation faults or infinite hangs.
> >>
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >> libavformat/nutdec.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> >> index 1bb2091..46946d3 100644
> >> --- a/libavformat/nutdec.c
> >> +++ b/libavformat/nutdec.c
> >> @@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
> >> while (tmp_fields-- > 8)
> >> ffio_read_varlen(bc);
> >>
> >> - if (count == 0 || i + count > 256) {
> >> + if (count <= 0 || (i > 'N' && count > 256 - i) || (i <= 'N' && count > 255 - i)) {
> >
> > this could be simplfied to:
> >
> > if (count <= 0 || count > 256 - (i <= 'N') - i)) {
> ^
> OK, but there is a bracket too much.
> New patch attached.
>
> Best regards,
> Andreas
> nutdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 4f42bba58646e45fba9c52b4ec5faa3cf7e6904f 0001-nutdec-fix-illegal-count-check-in-decode_main_header.patch
> From 95cc0bb685be1436e0689ea77daa3c63d691ecd4 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> Date: Tue, 28 Apr 2015 22:37:19 +0200
> Subject: [PATCH] nutdec: fix illegal count check in decode_main_header
applied
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/c66bf7d2/attachment.asc>
More information about the ffmpeg-devel
mailing list