[FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

Michael Niedermayer michaelni at gmx.at
Tue Apr 28 22:21:20 CEST 2015


On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote:
> The existing check has two problems:
>  1) i + count can overflow, so that the check '< 256' returns true.
>  2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
> 
> This can trigger the assertion 'nut->header_len[0] == 0' or cause
> segmentation faults or infinite hangs.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavformat/nutdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> index 1bb2091..46946d3 100644
> --- a/libavformat/nutdec.c
> +++ b/libavformat/nutdec.c
> @@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
>          while (tmp_fields-- > 8)
>              ffio_read_varlen(bc);
>  
> -        if (count == 0 || i + count > 256) {
> +        if (count <= 0 || (i > 'N' && count > 256 - i) || (i <= 'N' && count > 255 - i)) {

this could be simplfied to:

if (count <= 0 || count > 256 - (i <= 'N') - i)) {

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/56760e8f/attachment.asc>


More information about the ffmpeg-devel mailing list