[FFmpeg-devel] [PATCH] rawdec: fix mjpeg probing buffer size check

Michael Niedermayer michael at niedermayer.cc
Thu Jul 30 00:55:49 CEST 2015


On Thu, Jul 30, 2015 at 12:28:36AM +0200, wm4 wrote:
> On Thu, 30 Jul 2015 00:17:49 +0200
> Michael Niedermayer <michael at niedermayer.cc> wrote:
> 
> > On Wed, Jul 29, 2015 at 10:33:44PM +0200, wm4 wrote:
> > > ---
> > > If I read this right, the subtraction and comparison would be done in
> > > unsigned, because size_t is unsigned. Which would make this check
> > > ineffective. (p->buf_size is int.)
> > > ---
> > >  libavformat/rawdec.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > i wonder why this wasnt noticed before
> > ive the suspicioun the negative case cannot actually occur
> > either way its a bug
> 
> When not? I suppose normally nobody would make the probe buffer so
> small, but what about small files?

to reach the loop you first need to have some contruct that parses
into 2 valid looking frames and still be smaller than the string.
a random small file will not trigger this, a crafted file might "work"

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150730/bbb08e34/attachment.sig>


More information about the ffmpeg-devel mailing list