[FFmpeg-devel] Neither vorbis_parse_setup_hdr_codebooks nor ff_vorbis_len2vlc verify data
Reimar Döffinger
Reimar.Doeffinger
Sun Jul 5 10:18:02 CEST 2009
Hello,
sample is ogv/smclock.ogv.2.164.ogv from issue 1240.
vorbis_parse_setup_hdr_codebooks can at least create values up to 33
(get_bits(gb, 5)+1) in the bits array (I am unsure what is possible in
the ordered case, looks like even higher values are possible).
ff_vorbis_len2vlc which these values are then passed to on the other
hand just assumes that the bits values are at most 32, otherwise it just
writes beyond the exit_at_level and onto the stack, overwriting the
return address.
Since there is no documentation for the function the question is which
is wrong? Should ff_vorbis_len2vlc have a check or should
vorbis_parse_setup_hdr_codebooks?
More information about the ffmpeg-devel
mailing list