[FFmpeg-devel] [PATCH] Fix a couple of errors with bad Vorbis headers

Michael Niedermayer michaelni
Sat Jan 15 21:57:31 CET 2011


On Sat, Jan 15, 2011 at 09:29:49AM -0800, Frank Barchard wrote:
> On Sat, Jan 15, 2011 at 6:56 AM, Michael Niedermayer <michaelni at gmx.at>wrote:
> 
> > On Mon, Jan 10, 2011 at 06:13:21PM -0800, Frank Barchard wrote:
> >    > @@ -653,7 +661,7 @@ static int vorbis_parse_setup_hdr_residu
> > >          res_setup->partition_size = get_bits(gb, 24) + 1;
> > >          /* Validations to prevent a buffer overflow later. */
> > >          if (res_setup->begin>res_setup->end ||
> > > -            res_setup->end > vc->avccontext->channels * vc->blocksize[1]
> > / (res_setup->type == 2 ? 1 : 2) ||
> > > +            res_setup->end > vc->avccontext->channels * vc->blocksize[1]
> > / 2 ||
> > >              (res_setup->end-res_setup->begin) /
> > res_setup->partition_size > V_MAX_PARTITIONS) {
> > >              av_log(vc->avccontext, AV_LOG_ERROR, "partition out of
> > bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32",
> > %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin,
> > res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
> > >              return -1;
> >
> > this is a mystery to me
> > what does this fix?
> >
> > What i found when looking at the code is that ptns_to_read is uint_fast16_t
> > but values stored in there are tested against
> > #define V_MAX_PARTITIONS (1 << 20)
> > thats definitly not ok
> >
> 
> Agreed.  That looks like a bug.
> Change it to:?
> uint_fast32_t ptns_to_read = vr->ptns_to_read;

theres more code that looks like to might need to be updated similarly,
ideally this should be looked at by someone who is familiar with the code


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110115/85c373d7/attachment.pgp>



More information about the ffmpeg-devel mailing list