[FFmpeg-devel] [PATCH] Use correct colorspace in Cinepak decoder.

u-bo1b at 0w.se u-bo1b at 0w.se
Tue Feb 19 11:46:25 CET 2013


On Tue, Feb 19, 2013 at 09:17:47AM +0000, Carl Eugen Hoyos wrote:
> > > this patch seems to break decoding of
> > > https://ffmpeg.org/trac/ffmpeg/raw-attachment/ticket/1303/1.avi
> > 
> > The vulnerability has been there in the decoder from the 
> > beginning, it had no protection against writing outside the frame 
> > memory when any of the coordinates were not a multiple of 4.
> 
> valgrind does not report any invalid memory access for 
> the sample above, so is there really any 
> writing "outside the frame memory"?

Possibly not for this particular sample with the particular memory
allocation? The out-of-frame access would happen at vector decoding
phase where the decoder always wrote to 16 different pixels - the frame
had to have place for all of them. See cinepak_decode_vectors().

I noticed this problem as laracroft-cinepak-partial.avi in fate test
samples caused segfaults in ffplay (this video has 187 scan lines).
Remarkably, mplayer with the same decoder did not segfault and played fine.
I guess its memory allocation was different.

After the patch the decoder still always writes to the 4 pixels in the
uppermost row of each block, thus reducing the vulnerability but not
eliminating it. The second patch fixes this by rejecting unsafe strips.

Regards,
Rl



More information about the ffmpeg-devel mailing list