[FFmpeg-cvslog] fraps: check for overread

Reimar Döffinger Reimar.Doeffinger at gmx.de
Wed Nov 9 19:18:48 CET 2011


On Wed, Nov 09, 2011 at 12:18:45AM +0100, Michael Niedermayer wrote:
> ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Nov  8 22:42:50 2011 +0100| [3bdfef31ac135add243f9ddde99d6b3cee953833] | committer: Michael Niedermayer
> 
> fraps: check for overread
> Fixeds Ticket619
> 
> Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> 
> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3bdfef31ac135add243f9ddde99d6b3cee953833
> ---
> 
>  libavcodec/fraps.c      |    2 ++
>  tests/ref/fate/fraps-v5 |    1 -
>  2 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
> index d6f9a55..0844fa7 100644
> --- a/libavcodec/fraps.c
> +++ b/libavcodec/fraps.c
> @@ -114,6 +114,8 @@ static int fraps2_decode_plane(FrapsContext *s, uint8_t *dst, int stride, int w,
>              else if(Uoff) dst[i] += 0x80;
>          }
>          dst += stride;
> +        if(get_bits_left(&gb) < 0)
> +            return -1;
>      }
>      free_vlc(&vlc);
>      return 0;

This is wrong.
First, checking only once per line is questionable at least, and I'd
expect it can overread and crash with certain VLC tables.
More importantly you skip the free_vlc and it will thus leak memory.
Philosophically I also disagree a bit with failing completely when
we (probably) managed to decode a large part of the frame perfectly
fine, doubly so because fraps reuses the previous frame which means
we actually would have kind of error concealment.


More information about the ffmpeg-cvslog mailing list