[Ffmpeg-devel] PIX_FMT_PAL8 seg fault

Simon Kilvington s.kilvington
Wed Nov 30 15:11:08 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

	there is a bug in libavcodec when it decodes small (eg 1x1)
PIX_FMT_PAL8 format images - the get_buffer function
avcodec_default_get_buffer doesn't alloc enough space for the palette
entries, so when the palette data gets copied into the data[1] array it
overflows the buffer on the heap and causes a seg fault the next time
you use free/malloc (actually it does alloc enough space in base[1], but
data[1] points to the middle of the buffer, so it overflows)

	this is probably exploitable

	you can trigger the bug by using avcodec_decode_video to read a
1x1 PNG file with a palette, calling avcodec_close afterwards causes a
seg fault in glibc inside free

	I've attached a patch to fix it, it works for me, but it's a bit
of a hack so someone who knows more about libavcodec probably should
have a look at it

	I've also attached a PNG file that will trigger it - this PNG
file is currently being broadcast on a DVB carousel to everyone in the
UK, so it's not some contrived example

- --
Simon Kilvington


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDjbLbmt9ZifioJSwRAnXSAJoCdvD8V/AvFcYLWmoqnNRNShwk1wCeMfZu
BXfUVegK2/7iNb9spsJ9wCs=
=uphk
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ffmpeg-0.4.9_p20050906-pal8.patch
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20051130/9fd15dfe/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pal8bug.png
Type: image/png
Size: 139 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20051130/9fd15dfe/attachment.png>



More information about the ffmpeg-devel mailing list