Re: [FFmpeg-devel] [PATCH] alsdec: validate time diff index

Sat, 18 Apr 2015 11:13:43 -0700 

On 18.04.2015 20:05, Michael Niedermayer wrote:
> On Sat, Apr 18, 2015 at 06:58:30PM +0200, Andreas Cadhalpun wrote:
>> If begin is smaller than t, the subtraction 'begin -= t' wraps around,
>> because begin is unsigned. The same applies for end < t.
>>
>> This causes segmentation faults.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavcodec/alsdec.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
>> index f85f1e8..ff6b6cf 100644
>> --- a/libavcodec/alsdec.c
>> +++ b/libavcodec/alsdec.c
>> @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext 
>> *ctx, ALSBlockData *bd,
>>  
>>              if (ch[dep].time_diff_sign) {
>>                  t      = -t;
>> +                if (begin < t) {
>> +                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than 
>> time diff index %d.\n", begin, t);
>> +                    return AVERROR_INVALIDDATA;
>> +                }
> 
> begin is 1, t < 0 also the comparission is unsigned so t will overflow
> in it

Sorry, I sent the wrong version of the patch. Fixed one attached.
The t < 0 case is not problematic for the subtraction.

Best regards,
Andreas


>From dac2280eae25081fa9bfd3c392cf9d7837c3a092 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sat, 18 Apr 2015 20:09:28 +0200
Subject: [PATCH] alsdec: validate time diff index

If begin is smaller than t, the subtraction 'begin -= t' wraps around,
because begin is unsigned. The same applies for end < t.

This causes segmentation faults.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/alsdec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index f85f1e8..e0453e9 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
 
             if (ch[dep].time_diff_sign) {
                 t      = -t;
+                if (t > 0 && begin < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t);
+                    return AVERROR_INVALIDDATA;
+                }
                 begin -= t;
             } else {
+                if (t > 0 && end < t) {
+                    av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t);
+                    return AVERROR_INVALIDDATA;
+                }
                 end   -= t;
             }
 
-- 
2.1.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to