[FFmpeg-devel] H263 decoding crash, [BUG] : reading memory past the end of the buffer.

Baptiste Coudurier baptiste.coudurier
Fri Jun 5 05:09:21 CEST 2009


Hi,

On 6/4/2009 7:49 PM, Pavel Pavlov wrote:
> [...]
> 
> I was able to get more info
> 
> show_bits (h263.c:4190) is called with GetBitsContext that contains
> these values:
> buffer : 0x017dbf4c     (25018188)
> buffer_end : 0x017dcffd (25022461)
> index : 34184
> size_in_bits : 34184
> 
> And the exceptions I get is:
> Unhandled exception at 0x10180e06 (avcodec-52.dll) in EC-09.exe: 
> 0xC0000005: Access violation reading location 0x017dd000.
> 
> Location 0x017dd000 (25022464) is just 3 bytes outside of 
> passed GetBitsContext.buffer_end
> 
> The place of crash has this asm code:
>         int v= show_bits(&s->gb, 16);
> 10180DF5  mov         ebx,dword ptr [esp+0B4h] 
> 10180DFC  mov         edx,dword ptr [ebx+8] 
> 10180DFF  mov         eax,dword ptr [ebx] 
> 10180E01  mov         edi,edx 
> 10180E03  sar         edi,3 
> 10180E06  mov         eax,dword ptr [edi+eax]    
> 10180E09  bswap       eax  
> 10180E0B  mov         ecx,edx 
> 10180E0D  and         ecx,7 
> 10180E10  shl         eax,cl 
> 10180E12  shr         eax,0F0h 
> 
> And the crash is at 10180e06
> 
> 
> 
> The values passed to the show_bits as buffer and buffer_end is the
> pointer 
> to the h263 video data that I pass to the decoder:
> avcodec_decode_video(m_pContext, m_pFrame, &nResult, (uint8_t*)pData,
> nSize);
> where pData is 0x017dbf4c and nSize is 4273 (which is 34184/8)
> 
> At the point of crash EDI is 000010B1 and eax is : 017DBF4C which means
> that edi cotnains 4273 and eax is the passed buffer, so on line 10180E06
> 
> it tries to read past the buffer.

Check that the buffer is correctly allocated with
FF_INPUT_BUFFER_PADDING_SIZE which is needed when get_bits is used.

[...]

-- 
Baptiste COUDURIER                              GnuPG Key Id: 0x5C1ABAAA
Key fingerprint                 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
FFmpeg maintainer                                  http://www.ffmpeg.org



More information about the ffmpeg-devel mailing list