[FFmpeg-devel] [PATCH] rmdec.c: prevent zero-length packets

Kostya kostya.shishkov
Tue Mar 17 06:30:40 CET 2009


On Mon, Mar 16, 2009 at 07:06:33PM -0400, Ronald S. Bultje wrote:
> Hi,
> 
> re: Mans' patch and some more looking at rmdec.c, I think we've never
> really addressed the theoretical possibility of zero-length (empty)
> packets. I don't think any sane file would use them, but they wouldn't
> be invalid and would probably still lead to a crash because st is
> uninitialized right now. Just for the sake of preventing any
> theoretical exploits, I propose the attached patch.
> 
> Ronald

It's funny that old format code used if(len <= 0) return AVERROR(EIO);
So, let's see:
 for old format (RA28.8) audio they will be invalid
 for ATRAC, COOK and SIPRO they will be invalid (because of fixed frame size)
 for AC3 they _might_ exist but I doubt that decoder will accept zero packet
 for AAC there is some header as well
 for video they will be invalid (since any video packet has header)

Conclusion: len = 0 is not harmless, it's invalid.




More information about the ffmpeg-devel mailing list