[FFmpeg-devel] [PATCH 4/5] wma lossless: pad coeff buffer with 0
Michael Niedermayer
michaelni at gmx.at
Mon Feb 10 17:04:39 CET 2014
On Mon, Feb 10, 2014 at 09:10:52AM +0100, Christophe Gisquet wrote:
> 2014-02-09 22:38 GMT+01:00 Christophe Gisquet <christophe.gisquet at gmail.com>:
> > Replace by & (WMALL_COEFF_PAD_SIZE-1) which is the same but clearer.
>
> Which is not correct anyway. New patch fixing the issue, but which may
> be a bit assuming on the possible order values (multiples of 8).
%16
&15
&8
all are the same for unsigned values which are a multiply of 8
if values could be something else then the code can write out of
array and is potentially exploitable
for example
if one changes MAX_ORDER to 255 from 256 you have exploitable code
if someone finds and reverseensgeer an extra bit somewhere that
allows files with order % 8 != 0 it would be exploitable too
I suggest to make the code a bit more defensive and not write out
of array in such cases, even though they are not possible with the
current code
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140210/2f9ca719/attachment.asc>
More information about the ffmpeg-devel
mailing list