[MPlayer-dev-eng] Too big buffer in "libmpcodecs/ad_pcm.c"?

Reimar Döffinger Reimar.Doeffinger at stud.uni-karlsruhe.de
Mon Aug 14 13:02:02 CEST 2006


Hello,
On Wed, Aug 09, 2006 at 07:37:57PM +0300, Uoti Urpala wrote:
> On Wed, 2006-08-09 at 18:26 +0200, Reimar Döffinger wrote:
> > Right, I misread the code in mplayer.c, this seems more like the way it
> > was intended.
> > How does the attached (untested) patch look to you?

You could really send a warning before applying something, or at least
help our patch trackers by saying that you applied a fix.

> I'd either 
> - just return an error if the minimum size exceeds maxlen (ridiculous
>   number of channels), or

Are you really sure that audio_out->get_space() can't be larger than
sh_audio->a_out_buffer_size? This really seems like a non-trivial
assumption, and I don't really agree that simplifying
maxlen = maxlen - maxlen % align;
to
return -1;
is worth making such an assumption.

> - increase audio_out_minsize based on the number of channels in preinit
>   (if you do that then no maxlen checks are needed in decode_audio).

which makes assumptions on how maxlen and minlen are created and as soon
as somebody changes the way they are set in mplayer.c or mencoder.c we
will have another bunch of security problems.
Yes, obviously doing so will be a bug anyway, but I dislike programming
in a way that makes bugs immediately security-relevant.

Greetings,
Reimar Döffinger



More information about the MPlayer-dev-eng mailing list