[FFmpeg-soc] BFI Decoder

[Mike Melanson]

Sisir Koppaka wrote:
> On Thu, Apr 17, 2008 at 2:31 AM, Michael Niedermayer <michaelni at gmx.at>
> wrote:
> 
>> [...]
>>>     while (dst != frame_end) {
>>>         byte = *buf++;
>>>         code = byte >> 6;
>>>         length = byte & ~0xC0;
>>>         switch (code) {
>>>         case 0:                //Normal Chain
>>>             if (length == 0) {
>>>                 length = bytestream_get_le16(&buf);
>>>             }
>>>             bytestream_get_buffer(&buf, dst, length);
>> exploitable
>>
> Do you mean like if somebody changes the dst pointer to point to some other
> stuff? I can think of alternatives like reading byte-by-byte, using similar
> functions, but in all of them, the dst pointer could be changed...if that's
> the exploitable code here. If I'm wrong, can you please explain?

Where does length come from? User input. So I craft a malicious file
that has an outrageous size. That instructs bytestream_get_buffer() to
read a huge amount of data from the file into dst.

At best, it could crash.

At worst, tricks could be played to execute code.

Exploitable. Make sure that length <= the number of valid bytes pointed
to by dst.

-- 
	-Mike Melanson