On Thu, Feb 20, 2020 at 08:11:34PM +0100, Paul B Mahol wrote: > Are you sure this is correct? > Does asan reports exactly overread by 4?
the next line passes diff_size - 8 as a unsigned data size
if diff_size is smaller than 8, diff_size - 8 is very big and
the overread checks which use that will misbehave
[...]
> > @@ -269,7 +269,7 @@ static int cdtoons_decode_frame(AVCodecContext *avctx,
> > void *data,
> > diff_size = bytestream_get_be32(&buf);
> > width = bytestream_get_be16(&buf);
> > height = bytestream_get_be16(&buf);
> > - if (diff_size < 4 || diff_size - 4 > eod - buf) {
> > + if (diff_size < 8 || diff_size - 4 > eod - buf) {
> > av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out of
> > data for Diff frame data.\n");
> > return AVERROR_INVALIDDATA;
> > }
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
