[FFmpeg-devel] [PATCH] avcodec/dvdsubdec: fix accessing dangling pointers

Michael Niedermayer michaelni at gmx.at
Thu Jan 8 18:04:22 CET 2015

On Thu, Jan 08, 2015 at 05:19:17PM +0100, wm4 wrote:
> dvdsub_decode() can call append_to_cached_buf() 2 times, the second time
> with ctx->buf as argument. If the second append_to_cached_buf() reallocs
> ctx->buf, the argument will be a pointer to the previous, freed block.
> This can cause invalid reads at least with some fuzzed files - and
> possibly with valid files.
> Since packets can apparently not be larger than 64K (even if packets are
> combined), just use a fixed size buffer. It will be allocated as part of
> the DVDSubContext, and although some memory is "wasted", it's relatively
> minimal by modern standards and should be acceptable.
> ---
>  libavcodec/dvdsubdec.c | 12 +++---------
>  1 file changed, 3 insertions(+), 9 deletions(-)



Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150108/d06d9393/attachment.asc>

More information about the ffmpeg-devel mailing list