[Ffmpeg-devel] h264, protection against corrupted data (second try patch)
Fri Jan 19 00:57:34 CET 2007
On Thu, Jan 18, 2007 at 12:48:39PM -0500, Frank wrote:
> On 1/17/07, Michael Niedermayer <michaelni at gmx.at> wrote:
> >On Wed, Jan 17, 2007 at 02:22:07PM -0500, Frank wrote:
> >> Attached is a patch for h264.c which are modifications I use to prevent
> >> crashes. I mean all modified lines are where I had a crash and debugged
> >> find out where it happened, There are probably other places where index
> >> applied to array which could result in overflow (or negative array
> >index). I
> >> read the post about fuzzer bugs (zzuf application) posted January 15th
> >> and it looks like decoders are really sensible to corrupted data and it
> >> convinced me to re-post my patch and also mention it would be a good
> >idea to
> >> increase array index verifications in h264.c (from my point of view of
> >> course)
> >> There is one crash which is due to sps_id being negative. I submited
> >> fix several weeks ago and it was rejected because apparently sps_id
> >> be negative. To reply to that I would say from a programming point of
> >> it is an "int" and when the 32bit value from the byte stream is bigger
> >> INT_MAX, it goes negative. Unless get_bits() shave bits to INT_MAX ?
> >sps_id should then be changed to unsigned int
> I've also changed pps_id to unsigned int while at it.
> There was one issue where a pps_id was assigned to an int so I did:
> int dequant_coeff_pps = (int) pps_id;
> which I believe is safe since pps_id is validated as being lower than 256
> when assigned and if uninitialized will be zero.
> The cast is compile-time difference and doesn't add run-time convertion.
> Anyway I don't see a lot of these cast in ffmpeg so this is why I mention it
> (in case it is not ok).
yes, we dont like such casts they make code unreadable
trailling whitespace isnt allowed in svn
> - while(ptr[dst_length - 1] == 0 && dst_length > 1)
> + while( ptr[dst_length - 1] == 0 && dst_length > 1 )
except these the patch looks ok
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the ffmpeg-devel