[Ffmpeg-devel] [PATCH] Musepack out of bounds accesses

Reimar Döffinger Reimar.Doeffinger
Sat Jan 13 16:43:28 CET 2007


Hello,
attached patch fixes two such.
First is in the demuxer during playback-index-building, there is no check that the
index array is large enough. It would be possible to realloc it, but I'm
not sure if that's such a good idea, thinking e.g. of doing streaming
(esp. since I think it does not respect noidx?).
The other one is because the decoder does not provide the padding the
bitstream reader needs.
First issues regularly causes crashes at end of playback for my files
(and someone else's on Windows, too).

Greetings,
Reimar D?ffinger
-------------- next part --------------
Index: libavcodec/mpc.c
===================================================================
--- libavcodec/mpc.c	(revision 7444)
+++ libavcodec/mpc.c	(working copy)
@@ -231,7 +231,7 @@
         av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
     }
 
-    bits = av_malloc((buf_size - 1) & ~3);
+    bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
     c->dsp.bswap_buf(bits, buf + 4, (buf_size - 4) >> 2);
     init_get_bits(&gb, bits, (buf_size - 4)* 8);
     skip_bits(&gb, buf[0]);
Index: libavformat/mpc.c
===================================================================
--- libavformat/mpc.c	(revision 7444)
+++ libavformat/mpc.c	(working copy)
@@ -140,7 +140,7 @@
     url_fseek(&s->pb, pos, SEEK_SET);
 
     size = ((size2 + curbits + 31) & ~31) >> 3;
-    if(cur == c->frames_noted){
+    if(cur == c->frames_noted && cur < c->fcount){
         c->frames[cur].pos = pos;
         c->frames[cur].size = size;
         c->frames[cur].skip = curbits - 20;



More information about the ffmpeg-devel mailing list