[FFmpeg-devel] [PATCH] avcodec/get_bits: fix crash with get_bits1()
Michael Niedermayer
michaelni at gmx.at
Mon Oct 28 22:18:13 CET 2013
On Mon, Oct 28, 2013 at 06:20:05PM +0000, Paul B Mahol wrote:
> Signed-off-by: Paul B Mahol <onemda at gmail.com>
> ---
> libavcodec/get_bits.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
> index 32715d8..3df570b 100644
> --- a/libavcodec/get_bits.h
> +++ b/libavcodec/get_bits.h
> @@ -410,7 +410,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
>
> if (bit_size >= INT_MAX - 7 || bit_size <= 0 || !buffer) {
> buffer_size = bit_size = 0;
> - buffer = NULL;
> + buffer = (const uint8_t*)s;
> ret = AVERROR_INVALIDDATA;
> }
that looks a bit strange, s is a pointer to the GetBitContext
and by allowing the context and whatever is after it to be read
as if it was the source bitstream
instead of crashing with a null pointer dereference, an attacker
could be able to extract information for example about the memory
layout of the running process which could allow him to bypass ASLR
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20131028/2942b35e/attachment.asc>
More information about the ffmpeg-devel
mailing list