[FFmpeg-devel] [PATCH 1/4] Fix invalid pointer deferences when parsing index in flv demuxer.
Laurent Aimar
fenrir at elivagar.org
Sat Sep 24 18:04:48 CEST 2011
On Sat, Sep 24, 2011 at 05:36:51PM +0200, Michael Niedermayer wrote:
> On Sat, Sep 24, 2011 at 04:16:38PM +0200, fenrir at elivagar.org wrote:
> > From: Laurent Aimar <fenrir at videolan.org>
> >
> > ---
> > libavformat/flvdec.c | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> > index 569d734..e32829d 100644
> > --- a/libavformat/flvdec.c
> > +++ b/libavformat/flvdec.c
> > @@ -196,8 +196,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
> > }
> > }
> >
> > - if (timeslen == fileposlen)
> > - for(i = 0; i < arraylen; i++)
> > + if (!ret && timeslen == fileposlen)
> > + for(i = 0; i < fileposlen; i++)
> > av_add_index_entry(vstream, filepositions[i], times[i]*1000, 0, 0, AVINDEX_KEYFRAME);
>
> This bug is libav.org specific
> And your fix is wrong, theres an integer overflow further up that causes
> the allocated array size to be too small.
It might be a good think to add an av_calloc() that would take care
of the overflow check, no? It seems it's a common enough pattern.
> The writing though is stoped by the end of object, so only the reading
> causes the crash.
> In ffmpeg.org this is impossible.
> in libav.org an attacker could easily use this to overwrite memory and
> execute arbitrary code. (even with your patch)
Ok, thanks for the analysis.
--
fenrir
More information about the ffmpeg-devel
mailing list