[FFmpeg-soc] BFI Decoder
Sisir Koppaka
sisir.koppaka at gmail.com
Wed Apr 16 23:21:28 CEST 2008
On Thu, Apr 17, 2008 at 2:48 AM, Mike Melanson <mike at multimedia.cx> wrote:
> Sisir Koppaka wrote:
> > On Thu, Apr 17, 2008 at 2:31 AM, Michael Niedermayer <michaelni at gmx.at>
> > wrote:
> >
> >> [...]
> >>> while (dst != frame_end) {
> >>> byte = *buf++;
> >>> code = byte >> 6;
> >>> length = byte & ~0xC0;
> >>> switch (code) {
> >>> case 0: //Normal Chain
> >>> if (length == 0) {
> >>> length = bytestream_get_le16(&buf);
> >>> }
> >>> bytestream_get_buffer(&buf, dst, length);
> >> exploitable
> >>
> > Do you mean like if somebody changes the dst pointer to point to some
> other
> > stuff? I can think of alternatives like reading byte-by-byte, using
> similar
> > functions, but in all of them, the dst pointer could be changed...if
> that's
> > the exploitable code here. If I'm wrong, can you please explain?
>
> Where does length come from? User input. So I craft a malicious file
> that has an outrageous size. That instructs bytestream_get_buffer() to
> read a huge amount of data from the file into dst.
>
> At best, it could crash.
>
> At worst, tricks could be played to execute code.
>
> Exploitable. Make sure that length <= the number of valid bytes pointed
> to by dst.
>
Oh, thanks. I should be a bit more cunning to get these sort of ideas... :)
-----------------
Sisir Koppaka
More information about the FFmpeg-soc
mailing list