Re: [libav-devel] [PATCH] utils: Check for extradata size overflows.

Thu, 12 Jan 2012 12:01:21 -0800 

On 01/12/2012 02:57 PM, Alex Converse wrote:

> ---
>  libavcodec/internal.h |    7 +++++++
>  libavcodec/utils.c    |    3 +++
>  libavformat/utils.c   |    4 +++-
>  3 files changed, 13 insertions(+), 1 deletions(-)
> 
> diff --git a/libavcodec/internal.h b/libavcodec/internal.h
> index b5a0454..1c2d0da 100644
> --- a/libavcodec/internal.h
> +++ b/libavcodec/internal.h
> @@ -94,4 +94,11 @@ unsigned int avpriv_toupper4(unsigned int x);
>  int avpriv_lock_avformat(void);
>  int avpriv_unlock_avformat(void);
>  
> +/**
> + * Maximum size in bytes of extradata.
> + * This value was chosen such that every bit of the buffer is
> + * addressable by a 32-bit signed integer as used by get_bits.
> + */
> +#define FF_MAX_EXTRADATA_SIZE ((1 << 28) - FF_INPUT_BUFFER_PADDING_SIZE)
> +
>  #endif /* AVCODEC_INTERNAL_H */
> diff --git a/libavcodec/utils.c b/libavcodec/utils.c
> index 2bc1dcf..6f4d7e6 100644
> --- a/libavcodec/utils.c
> +++ b/libavcodec/utils.c
> @@ -610,6 +610,9 @@ int attribute_align_arg avcodec_open2(AVCodecContext 
> *avctx, AVCodec *codec, AVD
>      int ret = 0;
>      AVDictionary *tmp = NULL;
>  
> +    if (avctx->extradata_size < 0 || avctx->extradata_size >= 
> FF_MAX_EXTRADATA_SIZE)
> +        return AVERROR(EINVAL);
> +
>      if (options)
>          av_dict_copy(&tmp, *options, 0);
>  
> diff --git a/libavformat/utils.c b/libavformat/utils.c
> index a796658..373f068 100644
> --- a/libavformat/utils.c
> +++ b/libavformat/utils.c
> @@ -2442,9 +2442,11 @@ int avformat_find_stream_info(AVFormatContext *ic, 
> AVDictionary **options)
>          }
>          if(st->parser && st->parser->parser->split && !st->codec->extradata){
>              int i= st->parser->parser->split(st->codec, pkt->data, 
> pkt->size);
> -            if(i){
> +            if (i > 0 && i < FF_MAX_EXTRADATA_SIZE) {
>                  st->codec->extradata_size= i;
>                  st->codec->extradata= av_malloc(st->codec->extradata_size + 
> FF_INPUT_BUFFER_PADDING_SIZE);
> +                if (!st->codec->extradata)
> +                    return AVERROR(ENOMEM);
>                  memcpy(st->codec->extradata, pkt->data, 
> st->codec->extradata_size);
>                  memset(st->codec->extradata + i, 0, 
> FF_INPUT_BUFFER_PADDING_SIZE);
>              }


lgtm.

-Justin

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to