[FFmpeg-devel] [PATCH] ac3_probe input buffer overrun

[Wolfram Gloger]

Hi,

> and note:
> #define AVPROBE_PADDING_SIZE 32             ///< extra allocated bytes at t=
> he end of the probe buffer
> 
> so this patch is likely wrong but i dunno how much ff_ac3_parse_header
> can read or ...

It can read exactly 7 bytes (maximum).

> note2, valgrind is buggy and sometimes claims uninitalized memory would be
> used while it actually isnt!

Not that I can find any current valgrind bug reports like that,
but in this case the memory is quite definitely uninitialized:

--- ffmpeg-wg/libavformat/utils.c~	2007-08-30 23:45:32.000000000 +0200
+++ ffmpeg-wg/libavformat/utils.c	2007-09-01 13:00:15.000000000 +0200
@@ -445,6 +445,7 @@
             /* read probe data */
             pd->buf= av_realloc(pd->buf, probe_size + AVPROBE_PADDING_SIZE);
             pd->buf_size = get_buffer(pb, pd->buf, probe_size);
+            memset(pd->buf + pd->buf_size, 0, AVPROBE_PADDING_SIZE); 
             if (url_fseek(pb, 0, SEEK_SET) < 0) {
                 url_fclose(pb);
                 if (url_fopen(pb, filename, URL_RDONLY) < 0) {

should fix it too and could of course replace my patch.

BTW using realloc here seems unneccessary and expensive -- AFAICS the
whole buffer content is always read again.  How about replacing this
with av_malloc/av_free?
Or, alternatively, not seek to start and always read the
whole probe_size, but only attempt to read PROBE_BUF_MIN bytes _more_?

Regards,
Wolfram.