[Ffmpeg-devel] [PATCH] Fix 2 buffer overflows in dtsdec.c
Michael Niedermayer
michaelni
Thu Apr 20 20:00:14 CEST 2006
Hi
On Thu, Apr 20, 2006 at 05:59:28PM +0300, Uoti Urpala wrote:
> dtsdec.c copies one input packet at a time to a (static) buffer, the
argh, this should have never slipped through ... :(
ill might disable this codec if this isnt fixed quickly (dont want to
think about race conditions ...)
> buffer size is 4096 bytes while the copied packet size can be up to
> 18726 bytes.
>
> The code also keeps decoding until all input data has been used up,
> writing an unbounded amount of bytes to the output buffer and not
> respecting AVCODEC_MAX_AUDIO_FRAME_SIZE.
>
> The patch increases the internal buffer size and makes the code return
> after decoding one frame. Also changes dts_decode_init to return -1, not
> 1, on failure. Required reindentation is not included in the patch.
looks ok, at least it can hardly be worse then the current code ...
[...]
--
Michael
In the past you could go to a library and read, borrow or copy any book
Today you'd get arrested for mere telling someone where the library is
More information about the ffmpeg-devel
mailing list