[Ffmpeg-devel] Re: [PATCH] FFmpeg theora encoding

Michael Niedermayer michaelni
Sun Jan 21 19:57:57 CET 2007


Hi

On Wed, Jan 17, 2007 at 09:40:19PM +0000, Paul Richards wrote:
[...]


> +/*!
> +    Concatenates an ogg_packet into the extradata.
> +*/
> +static void concatenate_packet(unsigned int* offset, AVCodecContext* avc_context, const ogg_packet* packet)
> +{
> +    avc_context->extradata_size += 2 + packet->bytes;
> +    avc_context->extradata = av_realloc( avc_context->extradata, avc_context->extradata_size );
> +    avc_context->extradata[ (*offset)++ ] = packet->bytes >> 8;
> +    avc_context->extradata[ (*offset)++ ] = packet->bytes & 0xff;
> +    memcpy( avc_context->extradata + (*offset), packet->packet, packet->bytes );
> +    (*offset) += packet->bytes;
> +}

ive already said this function is not safe security wise ...it may be
safe with current libtheora and the current libtheora wrapper for libavcodec
but it is not safe in general, if the source file can somehow cause a large
comment packet to be injected (not so unlikely as comments from the source
should be preserved, i know they are not currently but saftey of code should
not depend on missing features) then this could become problematic ...

if this is not corrected then the patch will not be applied

what must be done at minimum
1. check the return of av_realloc() against NULL, the first access afterwards
is to [*offset] not to [0] ...
2. avc_context->extradata_size += 2 + packet->bytes; must be checked for
overflows


[...]
> +    switch (result) {
> +        case 0:
> +            /* No packet is ready */
> +            return 0;
> +        case -1:
> +            /* Encoding finished */
> +            return 0;

return 0; is duplicated

case  0:/* No packet is ready */
case -1:/* Encoding finished */
    return 0;


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070121/03a5dff3/attachment.pgp>



More information about the ffmpeg-devel mailing list