[FFmpeg-devel] [PATCH] lavu/avstring: check for overlong encodings

wm4 nfxjfg at googlemail.com
Fri Aug 29 15:57:32 CEST 2014


On Thu, 28 Aug 2014 17:39:27 +0200
Stefano Sabatini <stefasab at gmail.com> wrote:

> Fix reopened trac ticket #1163.
> ---
>  libavutil/avstring.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/libavutil/avstring.c b/libavutil/avstring.c
> index a63fb84..df27d5e 100644
> --- a/libavutil/avstring.c
> +++ b/libavutil/avstring.c
> @@ -331,7 +331,10 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
>      const uint8_t *p = *bufp;
>      uint32_t top;
>      uint64_t code;
> -    int ret = 0;
> +    int ret = 0, tail_len;
> +    uint32_t overlong_encoding_mins[6] = {
> +        0x00000000, 0x00000080, 0x00000800, 0x00010000, 0x00200000, 0x04000000,
> +    };
>  
>      if (p >= buf_end)
>          return 0;
> @@ -346,8 +349,10 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
>      }
>      top = (code & 128) >> 1;
>  
> +    tail_len = 0;
>      while (code & top) {
>          int tmp;
> +        tail_len++;
>          if (p >= buf_end) {
>              (*bufp) ++;
>              return AVERROR(EILSEQ); /* incomplete sequence */
> @@ -364,6 +369,12 @@ int av_utf8_decode(int32_t *codep, const uint8_t **bufp, const uint8_t *buf_end,
>      }
>      code &= (top << 1) - 1;
>  
> +    /* check for overlong encodings */
> +    if (code < overlong_encoding_mins[tail_len]) {
> +        ret = AVERROR(EILSEQ);
> +        goto end;
> +    }
> +
>      if (code >= 1<<31) {
>          ret = AVERROR(EILSEQ);  /* out-of-range value */
>          goto end;

Looks ok and simple to me. Is there a guarantee tail_len never
becomes larger than 5?

Also note that libavcodec/utils.c contains the same check (but less
readable) in utf8_check().



More information about the ffmpeg-devel mailing list