[FFmpeg-devel] [PATCH 4/5] wma lossless: pad coeff buffer with 0
christophe.gisquet at gmail.com
Mon Feb 10 21:20:22 CET 2014
2014-02-10 Michael Niedermayer <michaelni at gmx.at>:
> all are the same for unsigned values which are a multiply of 8
> if values could be something else then the code can write out of
> array and is potentially exploitable
Errm... Sorry, I wasn't clear here. The actual issue was an incorrect sizeof.
And the commit message was wrong (batch of 8 whereas it is 16) and
thus confusing on what was happening here.
> I suggest to make the code a bit more defensive and not write out
> of array in such cases, even though they are not possible with the
> current code
Well, this is the only location where the order is set as far as I
see. If you see something elsewhere that should be done, I'm missing
it, so please be specific. Anyway, I don't see what I can do safer
than setting the remaining of the buffer to 0, which is done in the
attached patch. This is a bit exaggerated as, last I checked, the
order was 16 or 32, and MAX_ORDER is 256.
>From the code, though, zeroing "FFALIGN(s->cdlms[c][i].order,16) -
s->cdlms[c][i].order" elements (0 or 8 with the current code) would be
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6478 bytes
Desc: not available
More information about the ffmpeg-devel