On Mon, Apr 27, 2015 at 11:56:15PM +0200, Andreas Cadhalpun wrote: > s->decoded_buffer is allocated with a min_size of: > 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) > > Then it is assigned to s->decoded[0], which is passed as out buffer to > decode_array_0000. > > In this function 64 elements of the out buffer are written > unconditionally and outside the array if blocksdecode is too small. > > This causes memory corruption, leading to segmentation faults or other > crashes. > > Thus check that FFALIGN(blockstodecode, 8) is at least 32, i. e. the > decoded_buffer has at least 64 components.
the stereo case would need a check against 64 i think
also if this is specifific to decode_array_0000(), then the others
should not fail with a short array
or decode_array_0000() could be made to just write less or error
out
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Old school: Use the lowest level language in which you can solve the problem
conveniently.
New school: Use the highest level language in which the latest supercomputer
can solve the problem without the user falling asleep waiting.
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
