[FFmpeg-devel] [PATCH] dca: fix reading over the end of the allocated buffer (v2)
Sun Jan 9 14:13:29 CET 2011
On Sun, Jan 09, 2011 at 03:10:57PM +0200, Anssi Hannula wrote:
> On 06.01.2011 16:50, Anssi Hannula wrote:
> > I noticed that the existing core DTS decoder doesn't seem to do
> > any sanity checks and can easily read over the end of the buffer (a
> > quick calculation suggests a rogue stream may cause the decoder to
> > read up to around 120 kilobytes from the 16 kilobyte buffer).
> > Since the dca_buffer resides inside DCAContext, there are several
> > kilobytes of extra allocated memory following the buffer, but that is
> > not enough.
> > Fix that by adding several checks to the decoder, making sure it never
> > reads more than 1 kilobyte over the end of the buffer.
> > ---
> > Kostya wrote:
> >> Ahem, add those several kbs to dca_buffer size instead, I would
> >> not rely on having something else in context as padding.
> > OK, I had assumed the implicit padding was originally intended. Anyway,
> > here's a new one adding the 1 kB to the dca_buffer instead.
> > Note that my selection of 1024 bytes as padding is somewhat arbitrary,
> > and it could be more bigger or smaller if wanted, thus decreasing or
> > increasing the amount of sanity checks needed.
> Not that a long time has passed, but it looks like this one was missed
> as the other patches in the set got commented and applied quickly :)
> Also, attached is the patch updated to apply cleanly to current trunk
> (no other changes).
fine with me
> Anssi Hannula
More information about the ffmpeg-devel