[FFmpeg-devel] [PATCH] EA ADPCM R1, R2 and R3

Michael Niedermayer michaelni
Tue Oct 23 10:35:11 CEST 2007


Hi

On Tue, Oct 23, 2007 at 06:15:09PM +1000, pross at xvid.org wrote:
[...]
> > > > completely missing checks for array bounds, this should be exploitable
> > > 
> > > Right. Check added at the start of this decoding code.
> > 
> > have you considered that the *channels in this check can overflow and thus
> > the check would fail ...
> 
> that would be caught earlier by adpcm_decode_init using the "if channels>6U fail" sanity check.

+        samples_in_chunk = (big_endian ? bytestream_get_be32(&src)
+                                       : bytestream_get_le32(&src)) / 28;
+        if (samples + 28*samples_in_chunk*avctx->channels >= samples_end) {
+            src += buf_size - 4;
+            break;
+        }

samples_in_chunk= ((1<<31)+12) / 28
samples + 28*samples_in_chunk*2 >= samples_end

and besides the *channels, the + can overflow as well

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many that live deserve death. And some that die deserve life. Can you give
it to them? Then do not be too eager to deal out death in judgement. For
even the very wise cannot see all ends. -- Gandalf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071023/b9ca4420/attachment.pgp>



More information about the ffmpeg-devel mailing list