[Ffmpeg-devel] PIX_FMT_PAL8 seg fault

Michael Niedermayer michaelni
Fri Dec 2 01:25:44 CET 2005


Hi

On Wed, Nov 30, 2005 at 02:11:08PM +0000, Simon Kilvington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> 	there is a bug in libavcodec when it decodes small (eg 1x1)
> PIX_FMT_PAL8 format images - the get_buffer function
> avcodec_default_get_buffer doesn't alloc enough space for the palette
> entries, so when the palette data gets copied into the data[1] array it
> overflows the buffer on the heap and causes a seg fault the next time
> you use free/malloc (actually it does alloc enough space in base[1], but
> data[1] points to the middle of the buffer, so it overflows)
> 
> 	this is probably exploitable
> 
> 	you can trigger the bug by using avcodec_decode_video to read a
> 1x1 PNG file with a palette, calling avcodec_close afterwards causes a
> seg fault in glibc inside free
> 
> 	I've attached a patch to fix it, it works for me, but it's a bit
> of a hack so someone who knows more about libavcodec probably should
> have a look at it

should be fixed

[...]

-- 
Michael





More information about the ffmpeg-devel mailing list