[FFmpeg-cvslog] r19973 - trunk/libavcodec/utils.c

Reimar Döffinger Reimar.Doeffinger
Wed Sep 23 10:40:24 CEST 2009

On Wed, Sep 23, 2009 at 12:44:56AM +0200, michael wrote:
> Author: michael
> Date: Wed Sep 23 00:44:56 2009
> New Revision: 19973
> Log:
> Check codec_id and codec_type in avcodec_open(), based on 43_codec_type_mismatch.patch from chrome
> This is said to be able to lead to a stack based buffer overflow.

Note that going by the description the real issue is elsewhere, more
specifically in the mov demuxer.
That one sets codec_type without checking or setting codec_id etc.,
which means that e.g. the following can happen:
first tag sets codec_type = audio, codec_id = mp3
next tag sets codec_type = video.
End results: codec_type = video, codec_id = mp3
Though with the sample file I can not find anything that would cause
exploitable issues, it only says:
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x2529410]Could not find codec parameters (Video: mp3, 16 kb/s)
h264.705767.mp4: could not find codec parameters
Though I guess all kinds of things can go wrong when you actually try to
decode and these still don't match.
Either way, the mov demuxer must be fixed to keep the codec_type and
codec_id it ends up with consistent.

More information about the ffmpeg-cvslog mailing list