On Fri, Nov 6, 2015 at 4:06 PM, Ganesh Ajjanagadde <gajjanaga...@gmail.com> wrote: > strlen returns a size_t, which is unsigned. If it is less than 2 for > some pixel format. wrap-around will happen and a bad pointer dereference > will take place. > > Yes, this is at the moment theoretical, but nonetheless dangerous in my > view and the fix is very simple. > > ------------------------------------------------------------------------------- > Inspired by a patch from Andreas Cadhalpun, I am running an audit of the > FFmpeg codebase for fishy usage of the string handling functions. > > Signed-off-by: Ganesh Ajjanagadde <gajjanaga...@gmail.com> > --- > libavutil/pixdesc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c > index 72d0470..4e02c14 100644 > --- a/libavutil/pixdesc.c > +++ b/libavutil/pixdesc.c > @@ -2232,12 +2232,13 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum > AVPixelFormat pix_fmt) > { > const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(pix_fmt); > char name[16]; > - int i; > + int i = 0; > > if (!desc || strlen(desc->name) < 2) > return AV_PIX_FMT_NONE; > av_strlcpy(name, desc->name, sizeof(name)); > - i = strlen(name) - 2; > + if (strlen(name) >= 2) > + i = strlen(name) - 2; > if (strcmp(name + i, "be") && strcmp(name + i, "le")) > return AV_PIX_FMT_NONE; > > -- > 2.6.2 >
Dropped, turns out it is checked earlier. Sorry. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel