[MPlayer-cvslog] r26644 - trunk/libmpdemux/demux_asf.c

Evgeniy Stepanov eugeni.stepanov at gmail.com
Fri May 2 18:46:28 CEST 2008


On Friday 02 May 2008 19:48:36 Michael Niedermayer wrote:
> On Fri, May 02, 2008 at 03:33:14PM +0200, eugeni wrote:
> > Author: eugeni
> > Date: Fri May  2 15:33:14 2008
> > New Revision: 26644
> >
> > Log:
> > Check ASF packet size before calling demux_asf_read_packet. Fixes
> > segfault with damaged ASF files.

[...]

> How does adding assert() prevent a segfault?

Huh? By leaving the program immediately instead of segfaulting later.

> And what kind of segfault is this? The writing data from the file outside
> the buffer type or is it just reading? Not that i think that it would take
> more than  a minute to find a way to make the code write out of the
> buffers.
>
> [...]

Damaged files produce random packet lengths, sometimes negative. This results 
in writing outside of the demux_packet's buffer. With assert it is at least 
not exploitable.

Taking a closer look, asf seems to have fixed size pages, and demuxer should 
just skip to the next one in this case? Perhaps I was too hasty to commit.



More information about the MPlayer-cvslog mailing list