[FFmpeg-devel] [PATCH] avcodec/utvideodec: Fix bytes left check in decode_frame()

Paul B Mahol onemda at gmail.com
Sat Feb 3 11:16:07 EET 2018


On 2/2/18, Michael Niedermayer <michael at niedermayer.cc> wrote:
> Fixes: out of array read
> Fixes: poc-2017.avi
>
> Found-by: GwanYeong Kim <gy741.kim at gmail.com>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/utvideodec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
> index 608c8c4998..1bcd14e74c 100644
> --- a/libavcodec/utvideodec.c
> +++ b/libavcodec/utvideodec.c
> @@ -676,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx, void
> *data, int *got_frame,
>              for (j = 0; j < c->slices; j++) {
>                  slice_end   = bytestream2_get_le32u(&gb);
>                  if (slice_end < 0 || slice_end < slice_start ||
> -                    bytestream2_get_bytes_left(&gb) < slice_end) {
> +                    bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) {
>                      av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
>                      return AVERROR_INVALIDDATA;
>                  }
> --
> 2.16.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

Why this magic number 1024LL ?


More information about the ffmpeg-devel mailing list