On 2/20/20, Michael Niedermayer <michae...@gmx.at> wrote:
> On Thu, Feb 20, 2020 at 08:11:34PM +0100, Paul B Mahol wrote:
>> Are you sure this is correct?
>> Does asan reports exactly overread by 4?
>
> the next line passes diff_size - 8 as a unsigned data size
> if diff_size is smaller than 8, diff_size - 8 is very big and
> the overread checks which use that will misbehave
>
OK then.
>
> [...]
>> > @@ -269,7 +269,7 @@ static int cdtoons_decode_frame(AVCodecContext
>> > *avctx,
>> > void *data,
>> > diff_size = bytestream_get_be32(&buf);
>> > width = bytestream_get_be16(&buf);
>> > height = bytestream_get_be16(&buf);
>> > - if (diff_size < 4 || diff_size - 4 > eod - buf) {
>> > + if (diff_size < 8 || diff_size - 4 > eod - buf) {
>> > av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out
>> > of
>> > data for Diff frame data.\n");
>> > return AVERROR_INVALIDDATA;
>> > }
>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The misfortune of the wise is better than the prosperity of the fool.
> -- Epicurus
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
