[FFmpeg-devel] [PATCH] dca: fix reading over the end of the allocated buffer (v2)
Sun Jan 9 14:10:57 CET 2011
On 06.01.2011 16:50, Anssi Hannula wrote:
> I noticed that the existing core DTS decoder doesn't seem to do
> any sanity checks and can easily read over the end of the buffer (a
> quick calculation suggests a rogue stream may cause the decoder to
> read up to around 120 kilobytes from the 16 kilobyte buffer).
> Since the dca_buffer resides inside DCAContext, there are several
> kilobytes of extra allocated memory following the buffer, but that is
> not enough.
> Fix that by adding several checks to the decoder, making sure it never
> reads more than 1 kilobyte over the end of the buffer.
> Kostya wrote:
>> Ahem, add those several kbs to dca_buffer size instead, I would
>> not rely on having something else in context as padding.
> OK, I had assumed the implicit padding was originally intended. Anyway,
> here's a new one adding the 1 kB to the dca_buffer instead.
> Note that my selection of 1024 bytes as padding is somewhat arbitrary,
> and it could be more bigger or smaller if wanted, thus decreasing or
> increasing the amount of sanity checks needed.
Not that a long time has passed, but it looks like this one was missed
as the other patches in the set got commented and applied quickly :)
Also, attached is the patch updated to apply cleanly to current trunk
(no other changes).
More information about the ffmpeg-devel