[Ffmpeg-devel] h264, protection against corrupted data

Frank eucloid
Wed Jan 17 20:22:07 CET 2007


Attached is a patch for h264.c which are modifications I use to prevent
crashes. I mean all modified lines are where I had a crash and debugged to
find out where it happened, There are probably other places where index are
applied to array which could result in overflow (or negative array index). I
read the post about fuzzer bugs (zzuf application) posted January 15th 2007
and it looks like decoders are really sensible to corrupted data and it
convinced me to re-post my patch and also mention it would be a good idea to
increase array index verifications in h264.c (from my point of view of
course)

There is one crash which is due to sps_id being negative. I submited this
fix several weeks ago and it was rejected because apparently sps_id cannot
be negative. To reply to that I would say from a programming point of view
it is an "int" and when the 32bit value from the byte stream is bigger than
INT_MAX, it goes negative. Unless get_bits() shave bits to INT_MAX ?

Some other are just verifying NULL pointer or index of an array. For example
checking the return value of remove_short() which returns negative on
failure and the return value was used as an array index right after.

I have also included 3 comments where it crashed one of which I don't know
how it can easily be fixed (line 4195 on pic being invalid pointer). Please
remove the crash comments if you don't like them.(I have attached a patch
without them)

Anyway I hope this tiny patch is welcome, Please don't think I'm criticizing
h264.c, It is great and allow me and lots of other people to undergo
interesting projects. Thanks.

Francois O.L.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: h264.c.17jan2007.diff
Type: application/octet-stream
Size: 6143 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070117/a07b197e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: h264.c.17jan2007_noCrashComments.diff
Type: application/octet-stream
Size: 4757 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070117/a07b197e/attachment-0001.obj>



More information about the ffmpeg-devel mailing list