[FFmpeg-devel] [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()

Stefano Sabatini stefano.sabatini-lala at poste.it
Tue May 24 16:28:22 CEST 2011


On date Tuesday 2011-05-24 16:17:33 +0200, Stefano Sabatini encoded:
> On date Tuesday 2011-05-24 14:34:32 +0200, Michael Niedermayer encoded:
> > On Tue, May 24, 2011 at 01:48:46PM +0200, Stefano Sabatini wrote:
> [...]
> > > Your patch can be applied on top of that, the issue reporter tells
> > > that the patch fixes the issue, then we noted there are other memory
> > > issues but I want to leave them for now, and possibly wait for a reply
> > > from David Conrad (listed as file maintainer).
> > > -- 
> > > FFmpeg = Faithful and Fostering Murdering Perennial Elfic Glue
> > 
> > >  oggdec.c |    8 +++++++-
> > >  1 file changed, 7 insertions(+), 1 deletion(-)
> > > 2ffdc2480b9754eb0981b0072556ce094bd07c72  0001-oggdec-add-integer-overflow-and-allocation-check-in-.patch
> > > From 3e7461df29cca18749db557b1e6616f578b3b73a Mon Sep 17 00:00:00 2001
> > > From: Stefano Sabatini <stefano.sabatini-lala at poste.it>
> > > Date: Thu, 19 May 2011 00:05:21 +0200
> > > Subject: [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()
> > > 
> > > Should fix trac issue #185.
> > > ---
> > >  libavformat/oggdec.c |    8 +++++++-
> > >  1 files changed, 7 insertions(+), 1 deletions(-)
> > > 
> > > diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
> > > index 344bd1c..aa63f96 100644
> > > --- a/libavformat/oggdec.c
> > > +++ b/libavformat/oggdec.c
> > > @@ -288,7 +288,13 @@ static int ogg_read_page(AVFormatContext *s, int *str)
> > >      }
> > >  
> > >      if (os->bufsize - os->bufpos < size){
> > > -        uint8_t *nb = av_malloc (os->bufsize *= 2);
> > > +        uint8_t *nb;
> > > +        if (os->bufsize > SIZE_MAX/2) {
> > 
> > bufsize is unsigned int SIZE_MAX can be larger
> 
> Fixed.
> 
> Other patches posted in separate threads.
> -- 
> FFmpeg = Foolish & Formidable Magnificient Programmable Ecumenical Gadget

> From 0895a8c026dd39649d433ff2dc2840af3b44827e Mon Sep 17 00:00:00 2001
> From: Stefano Sabatini <stefano.sabatini-lala at poste.it>
> Date: Thu, 19 May 2011 00:05:21 +0200
> Subject: [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()
> 
> Should fix trac issue #185.
> ---
>  libavformat/oggdec.c |    8 +++++++-
>  1 files changed, 7 insertions(+), 1 deletions(-)
> 
> diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
> index 344bd1c..e1357cb 100644
> --- a/libavformat/oggdec.c
> +++ b/libavformat/oggdec.c
> @@ -288,7 +288,13 @@ static int ogg_read_page(AVFormatContext *s, int *str)
>      }
>  
>      if (os->bufsize - os->bufpos < size){
> -        uint8_t *nb = av_malloc (os->bufsize *= 2);
> +        uint8_t *nb;
> +        if (os->bufsize > UINT_MAX/2) {
> +            av_log(s, AV_LOG_ERROR, "Ogg page with size %u is too big\n", os->bufsize);
> +            return AVERROR_INVALIDDATA;

Changed locally to AVERROR(ENOMEM), indeed there is not necessarily
something wrong in the file itself.
-- 
FFmpeg = Frenzy and Freak Mortal Philosophical Elfic Genius


More information about the ffmpeg-devel mailing list