[FFmpeg-devel] [PATCH 4/5] wma lossless: pad coeff buffer with 0

Christophe Gisquet christophe.gisquet at gmail.com
Mon Feb 10 21:20:22 CET 2014


2014-02-10 Michael Niedermayer <michaelni at gmx.at>:
> %16
> &15
> &8
> all are the same for unsigned values which are a multiply of 8
> if values could be something else then the code can write out of
> array and is potentially exploitable

Errm... Sorry, I wasn't clear here. The actual issue was an incorrect sizeof.
And the commit message was wrong (batch of 8 whereas it is 16) and
thus confusing on what was happening here.

> I suggest to make the code a bit more defensive and not write out
> of array in such cases, even though they are not possible with the
> current code

Well, this is the only location where the order is set as far as I
see. If you see something elsewhere that should be done, I'm missing
it, so please be specific. Anyway, I don't see what I can do safer
than setting the remaining of the buffer to 0, which is done in the
attached patch. This is a bit exaggerated as, last I checked, the
order was 16 or 32, and MAX_ORDER is 256.

>From the code, though, zeroing "FFALIGN(s->cdlms[c][i].order,16) -
s->cdlms[c][i].order" elements (0 or 8 with the current code) would be

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-wma-lossless-reuse-scalarproduct_and_madd_int16.patch
Type: text/x-patch
Size: 6478 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140210/db61302c/attachment.bin>

More information about the ffmpeg-devel mailing list