[FFmpeg-devel] [PATCH 7/8] avformat/aviobuf: Check for overflow in ffio_read_varlen()
Michael Niedermayer
michael at niedermayer.cc
Mon Dec 21 19:56:03 EET 2020
On Mon, Dec 21, 2020 at 12:30:48PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > No testcase
> >
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/aviobuf.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
> > index 78cc60b2ae..7730547106 100644
> > --- a/libavformat/aviobuf.c
> > +++ b/libavformat/aviobuf.c
> > @@ -917,6 +917,8 @@ uint64_t ffio_read_varlen(AVIOContext *bc){
> >
> > do{
> > tmp = avio_r8(bc);
> > + if (val > UINT64_MAX>>7)
> > + return AVERROR_INVALIDDATA;
> > val= (val<<7) + (tmp&127);
> > }while(tmp&128);
> > return val;
> >
> The error can't be detected at all given that the function returns an
> uint64_t.
in practice the type of the destination matters.
But sure you are correct that this is not "great"
what do you suggest ? there are many ways to fix this
also the reuse of this function between demuxers feels not entirely
wise. Any change/fix must be reasonable for all demuxers, i imagine
that makes the mainaince for all harder ...
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The worst form of inequality is to try to make unequal things equal.
-- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20201221/5f3fdf3f/attachment.sig>
More information about the ffmpeg-devel
mailing list