subject:"\[FFmpeg\-devel\] \[PATCH\] jvdec\: avoid unsized overflow in comparison"

Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

2015-11-07 Thread Andreas Cadhalpun

On 07.11.2015 06:07, Paul B Mahol wrote:
> On 11/6/15, Andreas Cadhalpun <andreas.cadhal...@googlemail.com> wrote:
>> The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
>> is 3, the right side overflows leading to a wrong result of the
>> comparison and subsequently a heap buffer overflow.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavformat/jvdec.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> lgtm

Pushed...

On 07.11.2015 06:19, Timothy Gu wrote:
> On Fri, Nov 06, 2015 at 09:11:40PM +0100, Andreas Cadhalpun wrote:
>> Subject: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison
> 
> *unsigned

...with the typo fixed.

Best regards,
Andreas

___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

2015-11-06 Thread Paul B Mahol

On 11/6/15, Andreas Cadhalpun  wrote:
> The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
> is 3, the right side overflows leading to a wrong result of the
> comparison and subsequently a heap buffer overflow.
>
> Signed-off-by: Andreas Cadhalpun 
> ---
>  libavformat/jvdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
> index 4d4f0c7..a31c723 100644
> --- a/libavformat/jvdec.c
> +++ b/libavformat/jvdec.c
> @@ -54,7 +54,7 @@ typedef struct JVDemuxContext {
>
>  static int read_probe(AVProbeData *pd)
>  {
> -if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <=
> pd->buf_size - 4 &&
> +if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <=
> pd->buf_size &&
>  !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
>  return AVPROBE_SCORE_MAX;
>  return 0;
> --
> 2.6.1
> ___
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

lgtm
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

2015-11-06 Thread Timothy Gu

On Fri, Nov 06, 2015 at 09:11:40PM +0100, Andreas Cadhalpun wrote:
> Subject: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

*unsigned

[...]

Timothy
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

2015-11-06 Thread Andreas Cadhalpun

The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.

Signed-off-by: Andreas Cadhalpun 
---
 libavformat/jvdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 4d4f0c7..a31c723 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -54,7 +54,7 @@ typedef struct JVDemuxContext {
 
 static int read_probe(AVProbeData *pd)
 {
-if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= 
pd->buf_size - 4 &&
+if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= 
pd->buf_size &&
 !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
 return AVPROBE_SCORE_MAX;
 return 0;
-- 
2.6.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

[FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison

4 matches

Site Navigation

Mail list logo

Footer information