[MPlayer-dev-eng] [patch] backports/fixes from uoti demux_mkv.c for comp_algo==3

Yuriy Kaminskiy yumkam at mail.ru
Thu Aug 12 20:36:46 CEST 2010


Reimar Döffinger wrote:
> On Thu, Aug 12, 2010 at 09:33:40PM +0400, Yuriy Kaminskiy wrote:
>> +        } else if (track->encodings[i].comp_algo == 3) {
>> +            modified = 1;
>> +            *dest = malloc(*size + track->encodings[i].comp_settings_len);
> 
> Integer overflow?
No different from zlib code just above? (and a lot code nearby)
And there are already allocation for both *size and comp_settings_len.
Anyway, updated patches attached (and one more to follow later...)

>> +            memcpy(*dest, track->encodings[i].comp_settings, track->encodings[i].comp_settings_len);
>> +            memcpy(*dest + track->encodings[i].comp_settings_len, src, *size);
> 
> Possibly exploitable due to these
> 
>> +            *size += track->encodings[i].comp_settings_len;
> 
> And code duplication with the same integer overflow issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: full.02-demux-mkv-support-comp3.v2.patch
Type: text/x-diff
Size: 1440 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20100812/3147d897/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: min.01-demux-mkv-comp3-backport.v2.patch
Type: text/x-diff
Size: 1552 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20100812/3147d897/attachment-0001.patch>


More information about the MPlayer-dev-eng mailing list