[FFmpeg-devel] [PATCH] apedec: ensure blockstodecode is large enough

Michael Niedermayer michaelni at gmx.at
Tue Apr 28 03:18:01 CEST 2015


On Mon, Apr 27, 2015 at 11:56:15PM +0200, Andreas Cadhalpun wrote:
> s->decoded_buffer is allocated with a min_size of:
>     2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)
> 
> Then it is assigned to s->decoded[0], which is passed as out buffer to
> decode_array_0000.
> 
> In this function 64 elements of the out buffer are written
> unconditionally and outside the array if blocksdecode is too small.
> 
> This causes memory corruption, leading to segmentation faults or other crashes.
> 
> Thus check that FFALIGN(blockstodecode, 8) is at least 32, i. e. the
> decoded_buffer has at least 64 components.

the stereo case would need a check against 64 i think
also if this is specifific to decode_array_0000(), then the others
should not fail with a short array
or decode_array_0000() could be made to just write less or error
out

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Old school: Use the lowest level language in which you can solve the problem
            conveniently.
New school: Use the highest level language in which the latest supercomputer
            can solve the problem without the user falling asleep waiting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/ae7ad9d2/attachment.asc>


More information about the ffmpeg-devel mailing list