On Fri, Nov 6, 2015 at 4:06 PM, Ganesh Ajjanagadde
wrote:
> strlen returns a size_t, which is unsigned. If it is less than 2 for
> some pixel format. wrap-around will happen and a bad pointer dereference
> will take place.
>
> Yes, this is at the moment theoretical, but nonetheless dangerous in my
> view and the fix is very simple.
>
> ---
> Inspired by a patch from Andreas Cadhalpun, I am running an audit of the
> FFmpeg codebase for fishy usage of the string handling functions.
>
> Signed-off-by: Ganesh Ajjanagadde
> ---
> libavutil/pixdesc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c
> index 72d0470..4e02c14 100644
> --- a/libavutil/pixdesc.c
> +++ b/libavutil/pixdesc.c
> @@ -2232,12 +2232,13 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum
> AVPixelFormat pix_fmt)
> {
> const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(pix_fmt);
> char name[16];
> -int i;
> +int i = 0;
>
> if (!desc || strlen(desc->name) < 2)
> return AV_PIX_FMT_NONE;
> av_strlcpy(name, desc->name, sizeof(name));
> -i = strlen(name) - 2;
> +if (strlen(name) >= 2)
> +i = strlen(name) - 2;
> if (strcmp(name + i, "be") && strcmp(name + i, "le"))
> return AV_PIX_FMT_NONE;
>
> --
> 2.6.2
>
Dropped, turns out it is checked earlier. Sorry.
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel