[FFmpeg-devel] stsz overflow

Frank Barchard fbarchard
Tue Aug 25 19:16:52 CEST 2009


On Tue, Aug 25, 2009 at 9:16 AM, Reimar D?ffinger
<Reimar.Doeffinger at gmx.de>wrote:

> On Tue, Aug 25, 2009 at 09:11:21AM -0700, Baptiste Coudurier wrote:
> > > Wow, what a mess (IMO). I think we are already at the point where it
> > > would be simpler to just get rid of that buffer and directly read the
> > > values "one by one" from the file.
> >
> > No, it was decided to be done that way when the patch was submitted.
>
> Obviously the review at that time did not take into account the
> additional code and complexity of avoiding buffer overflows, which
> unless someone comes up with a cleaner check is a really good reason
> to reconsider that decision.


Here is the simplest change that addresses the math overflow.  It limits
stsz to 134,217,728 entries.

Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c   (revision 19697)
+++ libavformat/mov.c   (working copy)
@@ -1256,7 +1256,7 @@
         return -1;
     }

-    if(entries >= UINT_MAX / sizeof(int))
+    if(entries >= UINT_MAX / 32)  /* avoids buffer overrun */
         return -1;
     sc->sample_sizes = av_malloc(entries * sizeof(int));
     if (!sc->sample_sizes)



More information about the ffmpeg-devel mailing list