Re: [FFmpeg-devel] [PATCH 1/3] ffmdec: reset packet_end in case of failure

Sat, 02 Jan 2016 10:43:19 -0800 

On 02.01.2016 19:14, Michael Niedermayer wrote:
> On Sat, Jan 02, 2016 at 04:51:17PM +0100, Andreas Cadhalpun wrote:
>> This fixes segmentation faults caused by passing a packet_ptr of NULL to
>> memcpy.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavformat/ffmdec.c | 8 ++++++--
>>  1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
>> index 9fe4155..7b2d0d7 100644
>> --- a/libavformat/ffmdec.c
>> +++ b/libavformat/ffmdec.c
>> @@ -123,8 +123,10 @@ static int ffm_read_data(AVFormatContext *s,
>>              frame_offset = avio_rb16(pb);
>>              avio_read(pb, ffm->packet, ffm->packet_size - FFM_HEADER_SIZE);
>>              ffm->packet_end = ffm->packet + (ffm->packet_size - 
>> FFM_HEADER_SIZE - fill_size);
>> -            if (ffm->packet_end < ffm->packet || frame_offset < 0)
>> +            if (ffm->packet_end < ffm->packet || frame_offset < 0) {
>> +                ffm->packet_end = ffm->packet_ptr;
> 
> doesnt this imply that packet_end was set to a invalid pointer?

Yes, if you use a strict definition of a valid pointer.
(It could still point to a valid memory address, but from a different
memory allocation than packet_ptr.)

By the way, the check for frame_offset < 0 is pointless, because
avio_rb16 returns an unsigned int.

> (that is undefined behavior)

Yes, but ubsan didn't catch it. ;)

Anyway, attached is an updated patch avoiding this problem.

Best regards,
Andreas

>From a0faebf31ab37083e140c6d276b16dd024f97ffb Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sat, 2 Jan 2016 16:27:02 +0100
Subject: [PATCH 1/3] ffmdec: reset packet_end in case of failure

This fixes segmentation faults caused by passing a packet_ptr of NULL to
memcpy.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavformat/ffmdec.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index 9fe4155..33f93b7 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -122,9 +122,10 @@ static int ffm_read_data(AVFormatContext *s,
             ffm->dts = avio_rb64(pb);
             frame_offset = avio_rb16(pb);
             avio_read(pb, ffm->packet, ffm->packet_size - FFM_HEADER_SIZE);
-            ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size);
-            if (ffm->packet_end < ffm->packet || frame_offset < 0)
+            if (ffm->packet_size < FFM_HEADER_SIZE + fill_size || frame_offset < 0) {
                 return -1;
+            }
+            ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size);
             /* if first packet or resynchronization packet, we must
                handle it specifically */
             if (ffm->first_packet || (frame_offset & 0x8000)) {
@@ -140,8 +141,10 @@ static int ffm_read_data(AVFormatContext *s,
                     return 0;
                 }
                 ffm->first_packet = 0;
-                if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE)
+                if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) {
+                    ffm->packet_end = ffm->packet_ptr;
                     return -1;
+                }
                 ffm->packet_ptr = ffm->packet + (frame_offset & 0x7fff) - FFM_HEADER_SIZE;
                 if (!header)
                     break;
-- 
2.6.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to