[FFmpeg-devel] [PATCH] dvenc: Prevent out-of-bounds read

Derek Buitenhuis derek.buitenhuis at gmail.com
Fri Nov 17 19:54:18 EET 2017


On 11/17/2017 5:37 PM, Michael Niedermayer wrote:
> hmm, i cant really remember this clearly but from looking at the code
> it looks like this is the logic:
> b->next[k] < 64
> b->next[k] >= mb_area_start[a + 1] implies mb_area_start[a + 1] < 64
> which implies a < 3
> and a2 < 4 on the first iteration so the first is still in the array
> subsequently, b->next[k] >= mb_area_start[a2 + 1] exists before the end
> as b->next[k] < 64 and the last entry being 64

Seems to be the case, though it is incredibly non-obvious.

Is there a better way to have that assert run than to check we'd have
already run the OOB access?

- Derek


More information about the ffmpeg-devel mailing list