[FFmpeg-devel] [PATCH] Fixed size given to init_get_bits() in xan decoder.
Laurent Aimar
fenrir at elivagar.org
Sat Sep 10 13:36:56 CEST 2011
On Sat, Sep 10, 2011 at 01:37:44AM +0200, Michael Niedermayer wrote:
> On Sat, Sep 10, 2011 at 12:40:31AM +0200, Laurent Aimar wrote:
> > See the title.
> [...]
>
> > @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) {
> > vector_segment = s->buf + AV_RL16(&s->buf[4]);
> > imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
> >
> > - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size);
> > + xan_huffman_decode(opcode_buffer, opcode_buffer_size,
> > + huffman_segment, s->size - (huffman_segment - s->buf) );
>
> something like the following could be used to find a tighter size bound
> unsigned hsize= s->size - AV_RL16(s->buf);
> for(i=2; i<8; i+=2)
> hsize= FFMIN(hsize, AV_RL16(s->buf+i) - AV_RL16(s->buf));
>
> also either way it needs something like:
> for(i=0; i<8; i+=2)
> if(AV_RL16(s->buf+i) >= s->size)
> return -1;
>
> without that the size could become negative, which doesnt seem right to
> me
Yes I agree that the size should be checked but I don't think it belongs to
this patch:
- with or without this patch, the case where the size becomes < 0 will
segfault.
- this patch fixed the argument value of init_get_bits
Also, Alex Converse has sent a patch containing the bound checking for the xan
decoder.
Regards,
--
fenrir
More information about the ffmpeg-devel
mailing list