[FFmpeg-cvslog] r19973 - trunk/libavcodec/utils.c
Michael Niedermayer
michaelni
Wed Sep 23 16:53:11 CEST 2009
On Wed, Sep 23, 2009 at 04:25:22AM +0300, Uoti Urpala wrote:
> On Wed, 2009-09-23 at 00:44 +0200, michael wrote:
> > Log:
> > Check codec_id and codec_type in avcodec_open(), based on 43_codec_type_mismatch.patch from chrome
> > This is said to be able to lead to a stack based buffer overflow.
> >
> > Modified:
> > trunk/libavcodec/utils.c
> >
> > Modified: trunk/libavcodec/utils.c
> > ==============================================================================
> > --- trunk/libavcodec/utils.c Tue Sep 22 22:38:03 2009 (r19972)
> > +++ trunk/libavcodec/utils.c Wed Sep 23 00:44:56 2009 (r19973)
> > @@ -481,7 +481,10 @@ int attribute_align_arg avcodec_open(AVC
> > }
> >
> > avctx->codec = codec;
> > - avctx->codec_id = codec->id;
> > + if(avctx->codec_id != codec->id || avctx->codec_type != codec->type){
> > + av_log(avctx, AV_LOG_ERROR, "codec type or id mismatches\n");
> > + goto end;
> > + }
>
> What's the point of this? Is the application supposed to set those
> before calling avcodec_open()? If so then why couldn't FFmpeg set them
> just as well instead of checking they're already set? Or what kind of
> usage is assumed where they could already be set to different values and
> checking it could be meaningful? Is this about FFmpeg itself using
> avcodec_open() internally in an unsafe way?
>
> At least MPlayer does not set avctx->codec_id or avctx->codec_type
> before calling avcodec_open() and so wouldn't work with this change. Of
> course setting them would be trivial, but does requiring that really
> make sense for the API?
A patch that sets codec_id to codec->codec_id if they are both at
CODEC_ID_NONE/CODEC_TYPE_"correct" is welcome
codec_type has to be correct because avcodec_alloc_context2() sets it
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/attachments/20090923/f919f1aa/attachment.pgp>
More information about the ffmpeg-cvslog
mailing list