[FFmpeg-devel] [PATCH] Fix mpeg1/2 scantable overflow

Michael Niedermayer michaelni at gmx.at
Thu Aug 9 19:50:04 CEST 2012

On Thu, Aug 09, 2012 at 11:54:56PM +1000, Loune Lam wrote:
> Hi All,
> Recently been trying VLC on android, and discovered a crash with a
> corrupted DVB mpeg2 ts video. Traced it down to libavcodec/mpeg12.c,
> Snippet mpeg2_fast_decode_block_intra and Snippet
> mpeg2_fast_decode_block_non_intra. Basically they index scantable
> without checking if the bounds. The indexable range maximum seems to
> be 63 so doing a > 63 check fixes the crash. I've got no idea about
> how mpeg decodes, so not sure if that fix is the best. Also, there
> seems to be a few other methods (i.e. mpeg1/non-fast) which suffer
> from this same mistake of not validating the index when accessing
> the scantable. Some of them do have a (i > 63) check (error ac-tex
> damaged at...) but it's after accessing the scantable. I've added a
> range check to all places which looks at the scantable.

the fast methods skip various checks to be fast they arent used unless
explicitly enabled. the fast methods CAN crash but should only crash
harmlessly through reads not writes

If we can make the fast methods more robust without slowing them
down, this is very welcome of course but making them slow is kinda
defeating their purpose

the non fast methods OTOH should not crash and never read out of array
you didnt speak about any crash in the non fast methods, can you
confirm they work fine with your sample ?

if there is interrest in a intermediate fast (inaccurate) but never
crashing variant this would not be unwelcome but iam not sure the
speed gain of this would be interresting. IIRC the difference between
fast and non fast isnt all that large to begin with ...

Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Opposition brings concord. Out of discord comes the fairest harmony.
-- Heraclitus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120809/fdbbc71d/attachment.asc>

More information about the ffmpeg-devel mailing list