[FFmpeg-devel] [PATCH 2/6] Check for out of bound reads in xan_huffman_decode() of the xan decoder.

Michael Niedermayer michaelni at gmx.at
Thu Sep 29 23:03:07 CEST 2011 

On Thu, Sep 29, 2011 at 08:38:53PM +0200, Laurent Aimar wrote:
> On Thu, Sep 29, 2011 at 02:18:18AM +0200, Reimar Döffinger wrote:
> > 
> > 
> > On 29 Sep 2011, at 01:04, fenrir at elivagar.org wrote:
> > 
> > > From: Laurent Aimar <fenrir at videolan.org>
> > > 
> > > ---
> > > libavcodec/xan.c |    5 ++++-
> > > 1 files changed, 4 insertions(+), 1 deletions(-)
> > > 
> > > diff --git a/libavcodec/xan.c b/libavcodec/xan.c
> > > index 51b4b95..3359102 100644
> > > --- a/libavcodec/xan.c
> > > +++ b/libavcodec/xan.c
> > > @@ -114,7 +114,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
> > >     init_get_bits(&gb, ptr, ptr_len * 8);
> > > 
> > >     while ( val != 0x16 ) {
> > > -        val = src[val - 0x17 + get_bits1(&gb) * byte];
> > > +        int idx = val - 0x17 + get_bits1(&gb) * byte;
> > > +        if (idx < 0 || idx >= 2 * byte)
> > > +            return -1;
> > 
> > Using unsigned will need one check less.
>  Patch attached.
> 
> > However I don't know if the condition is actually correct.
> I have looked at http://wiki.multimedia.cx/index.php?title=Wing_Commander_III_MVE_Video_Codec
> and the section parsed by xan_huffman_decode() is described as follow:
> 
> byte 0       number of values in the Huffman tree (should be 22)
> bytes 1..44  Huffman tree table
> bytes 45..   Huffman-coded data.
> 
> So I think it's the right test.
> 
> -- 
> fenrir

>  xan.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 79c4c35684d82682fc9e37c85e14d8c98d299f68  0002-Check-for-out-of-bound-reads-in-xan_huffman_decode-o.patch
> From 57f71c76f0127fa2f3d54dac5a5d69e6e8c2706b Mon Sep 17 00:00:00 2001
> From: Laurent Aimar <fenrir at videolan.org>
> Date: Wed, 28 Sep 2011 00:45:54 +0200
> Subject: [PATCH 2/2] Check for out of bound reads in xan_huffman_decode() of the xan decoder.

applied, thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110929/fe6a4a34/attachment.asc>

More information about the ffmpeg-devel mailing list