Re: [FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

Tue, 28 Apr 2015 13:40:26 -0700 

On 28.04.2015 22:21, Michael Niedermayer wrote:
> On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote:
>> The existing check has two problems:
>>  1) i + count can overflow, so that the check '< 256' returns true.
>>  2) In the (i == 'N') case occurs a j-- so that the loop runs once more.
>>
>> This can trigger the assertion 'nut->header_len[0] == 0' or cause
>> segmentation faults or infinite hangs.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavformat/nutdec.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
>> index 1bb2091..46946d3 100644
>> --- a/libavformat/nutdec.c
>> +++ b/libavformat/nutdec.c
>> @@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
>>          while (tmp_fields-- > 8)
>>              ffio_read_varlen(bc);
>>  
>> -        if (count == 0 || i + count > 256) {
>> +        if (count <= 0 || (i > 'N' && count > 256 - i) || (i <= 'N' && 
>> count > 255 - i)) {
> 
> this could be simplfied to:
> 
> if (count <= 0 || count > 256 - (i <= 'N') - i)) {
                                                 ^
OK, but there is a bracket too much.
New patch attached.

Best regards,
Andreas

>From 95cc0bb685be1436e0689ea77daa3c63d691ecd4 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Tue, 28 Apr 2015 22:37:19 +0200
Subject: [PATCH] nutdec: fix illegal count check in decode_main_header

The existing check has two problems:
 1) i + count can overflow, so that the check '< 256' returns true.
 2) In the (i == 'N') case occurs a j-- so that the loop runs once more.

This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavformat/nutdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 74e3637..6f615c2 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
         while (tmp_fields-- > 8)
             ffio_read_varlen(bc);
 
-        if (count == 0 || i + count > 256) {
+        if (count <= 0 || count > 256 - (i <= 'N') - i) {
             av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i);
             return AVERROR_INVALIDDATA;
         }
-- 
2.1.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to