[Avifile][ avifile-Patches-411176 ] fix for corrupted malloc heap

Thu, 21 Jun 2001 02:37:42 -0700 

Patches item #411176, was updated on 2001-03-25 08:36
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=311050&aid=411176&group_id=11050

Category: None
Group: None
>Status: Closed
>Resolution: Accepted
Priority: 5
Submitted By: J�rgen Keil (jkeil)
>Assigned to: Zdenek Kabelac (kabi)
Summary: fix for corrupted malloc heap

Initial Comment:
Here are two fixes for AVIReadHandler::readIndexChunk:

1. readIndexChunk allocates an array ('positions') of
   m_Streams.size() int64_t elements, i.e. a valid
   index into the array is in the range 
   [0..m_Streams.size()-1].

   Before writing to this array,  the index 'id'
   is checked:

        unsigned int id=StreamFromFOURCC(entry.ckid);
        if((id<0)||(id>m_Streams.size()))
            continue;

   Note that 'id == m_Streams.size()' is *not* rejected
   here,  leading to malloc heap corruption.  The
   code should skip the entry in case
   id>=m_Streams.size()


2. It seems that there are avi files that have stuff
   after the AVIINDEXENTRY array, before the end of
   the file.  AVIReadHandler::readIndexChunk() 
   currently ignores the passed index_size
   (although it's tested in the while loop every time),
   and keeps going until the end of the avi file;
   this adds garbage to the index table (e.g. *huge*
   chunk sizes,  and once the library tries to
   read in this garbage chunk with the *huge* size
   crashes with an exception in operator new)



diff -rub -x CVS
avifile-0.6-orig/lib/aviread/AviReadHandler.cpp
avifile-0.6/lib/aviread/AviReadHandler.cpp
--- avifile-0.6-orig/lib/aviread/AviReadHandler.cpp     Mon
Mar 19 13:57:47 2001
+++ avifile-0.6/lib/aviread/AviReadHandler.cpp  Sun Mar
25 00:44:29 2001
@@ -378,14 +378,18 @@
     int64_t* positions=new int64_t[m_Streams.size()];
     for(unsigned i=0; i<m_Streams.size(); i++)
        positions[i]=0;
-    while((index_size>0) && !m_Input.eof())
+    for (;
+        index_size >= sizeof(AVIINDEXENTRY) &&
!m_Input.eof();
+        index_size -= sizeof(AVIINDEXENTRY))
     {
        AVIINDEXENTRY entry;
        AVIINDEXENTRY2 entry2;
-       m_Input.read(&entry, sizeof(entry));
+       int len = m_Input.read(&entry, sizeof(entry));
+       if (len < sizeof(entry))
+           cerr<<"WARNING: incomplete chunk entry, len=" <<
len << endl;
        
        unsigned int id=StreamFromFOURCC(entry.ckid);
-       if((id<0)||(id>m_Streams.size()))
+       if((id<0)||(id>=m_Streams.size()))
            continue;
        AVIReadStream& stream=m_Streams[id];
        


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=311050&aid=411176&group_id=11050

_______________________________________________
Avifile mailing list
[EMAIL PROTECTED]
http://prak.org/mailman/listinfo/avifile

Reply via email to