[FFmpeg-devel] [PATCH]: avoid sending empty probe data to probing functions

Nicolas George nicolas.george at normalesup.org
Sun Jul 8 17:23:04 CEST 2012


Le septidi 17 messidor, an CCXX, Thomas Hutschenreuther a écrit :
> I have seen some rare occurrences of crashes in aacdec.c in the
> function adts_aac_probe.
> The crash occurs in line 45:
> 
> uint32_t header = AV_RB16(buf2);
> 
> The buf2 directly comes from the AVProbeData given to this function.
> Inspection showed that all fields of that AVProbeData instance were
> set to zero.
> Also in this function no checks are performed on the
> existence/validity of the probe data.
> 
> As I did not want to check all probing functions for checks on input
> data, I looked for a possibility to prevent this at a higher level.

The calling code is supposed to add 32 null bytes as padding to the probe
data buffer. ASAICS, adts_aac_probe relies on it (which is a style I do not
like personally but is perfectly valid in the context of ffmpeg) in a safe
way.

Therefore, your post-mortem on the crash you were experiencing seems
incomplete: if p->buf was NULL, it should not have been, and we need to know
why; if b->buf was not NULL, it should point to at least 32 bytes of 0, and
if not we also need to know why.

Can you point us to a sample that causes the crash you were investigating?

Regards,

-- 
  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120708/a2ba6309/attachment.asc>


More information about the ffmpeg-devel mailing list