[FFmpeg-cvslog] avidec: Check that the header chunks fit in the?available filesize.

Michael Niedermayer michaelni at gmx.at
Fri Dec 16 15:31:18 CET 2011


On Fri, Dec 16, 2011 at 09:19:19AM +0000, Joakim Plate wrote:
>
> > @@ -387,6 +387,11 @@ static int avi_read_header(AVFormatContext *s,
> AVFormatParameters *ap)
> >          tag = avio_rl32(pb);
> >          size = avio_rl32(pb);
> >
> > +        if(size > avi->fsize){
> > +            av_log(s, AV_LOG_ERROR, "chunk size is too big during header
> parsing\n");
> > +            goto fail;
> > +        }
> > +
> >          print_tag("tag", tag, size);
> >
>
>
> This seem like it would only work for the first tag in the file?
> After that the remaining size is not fsize but fsize - avio_pos().

thats true, the test could be made tighter for later tags
the practical difference would be quite small as this is just the
header so the remaining filesize is likely not much smaller at its
end then at its begin.


> Also i'm a bit concerned about growing avi files (only riff size known).
> But that may be unjustified.

If we have a bug there then avi_sync(), which didnt change recently
should be looked over as it does:

if(i + (uint64_t)size > avi->fsize || d[0] > 127)

[...]

--
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 3
"Rare item" - "Common item with rare defect or maybe just a lie"
"Professional" - "'Toy' made in china, not functional except as doorstop"
"Experts will know" - "The seller hopes you are not an expert"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-cvslog/attachments/20111216/ba89f4e2/attachment.asc>


More information about the ffmpeg-cvslog mailing list