Re: [FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

On Tue, Apr 28, 2015 at 10:39:40PM +0200, Andreas Cadhalpun wrote: > On 28.04.2015 22:21, Michael Niedermayer wrote: > > On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote: > >> The existing check has two problems: > >> 1) i + count can overflow, so that the check '< 256' returns tr

Re: [FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

On 28.04.2015 22:21, Michael Niedermayer wrote: > On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote: >> The existing check has two problems: >> 1) i + count can overflow, so that the check '< 256' returns true. >> 2) In the (i == 'N') case occurs a j-- so that the loop runs once m

Re: [FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

On Tue, Apr 28, 2015 at 08:57:39PM +0200, Andreas Cadhalpun wrote: > The existing check has two problems: > 1) i + count can overflow, so that the check '< 256' returns true. > 2) In the (i == 'N') case occurs a j-- so that the loop runs once more. > > This can trigger the assertion 'nut->header

[FFmpeg-devel] [PATCH 1/3] nutdec: fix illegal count check in decode_main_header

The existing check has two problems: 1) i + count can overflow, so that the check '< 256' returns true. 2) In the (i == 'N') case occurs a j-- so that the loop runs once more. This can trigger the assertion 'nut->header_len[0] == 0' or cause segmentation faults or infinite hangs. Signed-off-by: