[MPlayer-dev-eng] [PATCH] Fix memory corruption in libmpeg2 decoder
Uoti Urpala
uoti.urpala at pp1.inet.fi
Wed Apr 12 22:55:02 CEST 2006
The libmpeg2 decoder allocates an array whose size depends on image
parameters. It's allocated only once even though the parameters might
change to require a larger array. As a result memory outside the array
will be overwritten. This might be usable for security exploits but
probably not easily as the overwriting bytes can not be chosen freely.
The changes in vd_libmpeg2.c are the main fix, the vf.c change is a
sanity check to make sure nothing else reuses an old qscale pointer
(there shouldn't be any uses in current code).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qscalefix.diff
Type: text/x-patch
Size: 1648 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20060412/930e9b26/attachment.bin>
More information about the MPlayer-dev-eng
mailing list