[Ffmpeg-devel] [PATCH] Fix 2 buffer overflows in dtsdec.c

Uoti Urpala uoti.urpala
Thu Apr 20 16:59:28 CEST 2006


dtsdec.c copies one input packet at a time to a (static) buffer, the
buffer size is 4096 bytes while the copied packet size can be up to
18726 bytes.

The code also keeps decoding until all input data has been used up,
writing an unbounded amount of bytes to the output buffer and not
respecting AVCODEC_MAX_AUDIO_FRAME_SIZE.

The patch increases the internal buffer size and makes the code return
after decoding one frame. Also changes dts_decode_init to return -1, not
1, on failure. Required reindentation is not included in the patch.


vorbis.c looks like it might also write more than
AVCODEC_MAX_AUDIO_FRAME_SIZE bytes of output if the input specifies a
huge number of channels, but I haven't verified whether that can
actually happen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dtsdec.c.diff
Type: text/x-patch
Size: 1552 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20060420/cf3cb852/attachment.bin>



More information about the ffmpeg-devel mailing list