[FFmpeg-devel] [PATCH] rawdec: fix mjpeg probing buffer size check
michael at niedermayer.cc
Thu Jul 30 00:55:49 CEST 2015
On Thu, Jul 30, 2015 at 12:28:36AM +0200, wm4 wrote:
> On Thu, 30 Jul 2015 00:17:49 +0200
> Michael Niedermayer <michael at niedermayer.cc> wrote:
> > On Wed, Jul 29, 2015 at 10:33:44PM +0200, wm4 wrote:
> > > ---
> > > If I read this right, the subtraction and comparison would be done in
> > > unsigned, because size_t is unsigned. Which would make this check
> > > ineffective. (p->buf_size is int.)
> > > ---
> > > libavformat/rawdec.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > i wonder why this wasnt noticed before
> > ive the suspicioun the negative case cannot actually occur
> > either way its a bug
> When not? I suppose normally nobody would make the probe buffer so
> small, but what about small files?
to reach the loop you first need to have some contruct that parses
into 2 valid looking frames and still be smaller than the string.
a random small file will not trigger this, a crafted file might "work"
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: Digital signature
More information about the ffmpeg-devel