On Tue, Apr 28, 2015 at 11:22:22AM +0200, Andreas Cadhalpun wrote: > On 28.04.2015 03:18, Michael Niedermayer wrote: > > On Mon, Apr 27, 2015 at 11:56:15PM +0200, Andreas Cadhalpun wrote: > >> s->decoded_buffer is allocated with a min_size of: > >> 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) > >> > >> Then it is assigned to s->decoded[0], which is passed as out buffer to > >> decode_array_0000. > >> > >> In this function 64 elements of the out buffer are written > >> unconditionally and outside the array if blocksdecode is too small. > >> > >> This causes memory corruption, leading to segmentation faults or other > >> crashes. > >> > >> Thus check that FFALIGN(blockstodecode, 8) is at least 32, i. e. the > >> decoded_buffer has at least 64 components. > > > > the stereo case would need a check against 64 i think > > Yes. > > > also if this is specifific to decode_array_0000(), then the others > > should not fail with a short array > > OK. > > > or decode_array_0000() could be made to just write less or error > > out > > decode_array_0000 is void so error out would require more changes, > but just writing less seems like a better fix anyway. New patch attached. > > Best regards, > Andreas >
> apedec.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > 4f13e8d3f04b128cb0e8b4c0f703ecc56eaedd46 > 0001-apedec-prevent-out-of-array-writes-in-decode_array_0.patch > From 969592cc6c04571afa0d8b32be31caf78ca52517 Mon Sep 17 00:00:00 2001 > From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > Date: Tue, 28 Apr 2015 11:13:43 +0200 > Subject: [PATCH] apedec: prevent out of array writes in decode_array_0000 > > s->decoded_buffer is allocated with a min_size of: > 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) > > Then it is assigned to s->decoded[0] (and s->decoded_buffer + > FFALIGN(blockstodecode, 8) > to s->decoded[1]) and passed as out buffer to decode_array_0000. > > In this function 64 elements of the out buffer are written > unconditionally and outside the array if blockstodecode is too small. > > This causes memory corruption, leading to segmentation faults or other > crashes. > > Thus change decode_array_0000 to write at most blockstodecode elements > of the out buffer. applied thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB In a rich man's house there is no place to spit but his face. -- Diogenes of Sinope
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
