[FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

Michael Niedermayer michaelni at gmx.at
Tue Apr 28 23:22:40 CEST 2015 

On Tue, Apr 28, 2015 at 10:39:40PM +0200, Andreas Cadhalpun wrote:
> On 28.04.2015 22:21, Michael Niedermayer wrote:
> > On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote:
> >> The existing check has two problems:
> >>  1) i + count can overflow, so that the check '< 256' returns true.
> >>  2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
> >>
> >> This can trigger the assertion 'nut->header_len[0] == 0' or cause
> >> segmentation faults or infinite hangs.
> >>
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >>  libavformat/nutdec.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> >> index 1bb2091..46946d3 100644
> >> --- a/libavformat/nutdec.c
> >> +++ b/libavformat/nutdec.c
> >> @@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
> >>          while (tmp_fields-- > 8)
> >>              ffio_read_varlen(bc);
> >>  
> >> -        if (count == 0 || i + count > 256) {
> >> +        if (count <= 0 || (i > 'N' && count > 256 - i) || (i <= 'N' && count > 255 - i)) {
> > 
> > this could be simplfied to:
> > 
> > if (count <= 0 || count > 256 - (i <= 'N') - i)) {
>                                                  ^
> OK, but there is a bracket too much.
> New patch attached.
> 
> Best regards,
> Andreas

>  nutdec.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 4f42bba58646e45fba9c52b4ec5faa3cf7e6904f  0001-nutdec-fix-illegal-count-check-in-decode_main_header.patch
> From 95cc0bb685be1436e0689ea77daa3c63d691ecd4 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> Date: Tue, 28 Apr 2015 22:37:19 +0200
> Subject: [PATCH] nutdec: fix illegal count check in decode_main_header

applied

thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150428/c66bf7d2/attachment.asc>

More information about the ffmpeg-devel mailing list