[FFmpeg-devel] [PATCH 5/7] Check for out of bound reads in the flic decoder.
fenrir at elivagar.org
Wed Sep 28 01:10:53 CEST 2011
On Wed, Sep 28, 2011 at 12:48:41AM +0200, Michael Niedermayer wrote:
> On Tue, Sep 27, 2011 at 11:43:55PM +0200, fenrir at elivagar.org wrote:
> > From: Laurent Aimar <fenrir at videolan.org>
> > @@ -218,6 +222,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
> > if (color_changes == 0)
> > color_changes = 256;
> > + if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
> > + break;
> > +
> the addition as well as others can overflow, not really a big issue,
> as its near impossible to happen in practice so this could probably
> be applied as is if you prefer
No, I prefer to get it right, it's easier to maintain I think.
Mmh, it can only overflow if stream_ptr is above or equal to
INT_MAX - (3*256 + something_smaller_than_FF_INPUT_BUFFER_PADDING_SIZE) I
think. The other additions are all smaller than that.
Also, there was an invalid test that I removed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 8235 bytes
Desc: not available
More information about the ffmpeg-devel