On Fri, Sep 09, 2011 at 01:05:54AM +0200, Laurent Aimar wrote: > Hi, > > After trying some fuzzing on libavcodec, it seems that a lot of decoders > does not check (or not enough) for buffer overread which can lead for some > to a segfault. > > I attached a patch that make get_bits.h function checked for overread by > default but let safe decoders disabling the checks at compilation time by > defining UNCHECK_BITSTREAM_READER before including get_bits.h. > If such patch would be including, I would gladly provide a patch > adding the #define UNCHECK_BITSTREAM_READER to the decoder that are 'safe'. > > I haven't yet benchmark the performance loss but will do so. > > One decoder breaks with this patch: mpegaudio. It seems to do weird things > with two get bit context and switching them while decoding. I will try to > have a look at it (unless someone would volunteer to explain me what it is > doing :)
It's easy: MP3 is actually VBR disguised as CBR, so frame data (except for the header) actually forms an independent bitstream and frame header provides an offset in it from which point data should be read (so actual frame data may start in payload from previous frame). Lavc MP3 decoder reads the data in previous frame (saved data) with one context and then switches to the current frame data when needed IIRC. _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
