Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison
On 07.11.2015 06:07, Paul B Mahol wrote: > On 11/6/15, Andreas Cadhalpun <andreas.cadhal...@googlemail.com> wrote: >> The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size >> is 3, the right side overflows leading to a wrong result of the >> comparison and subsequently a heap buffer overflow. >> >> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> >> --- >> libavformat/jvdec.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) > > lgtm Pushed... On 07.11.2015 06:19, Timothy Gu wrote: > On Fri, Nov 06, 2015 at 09:11:40PM +0100, Andreas Cadhalpun wrote: >> Subject: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison > > *unsigned ...with the typo fixed. Best regards, Andreas ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison
On 11/6/15, Andreas Cadhalpunwrote: > The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size > is 3, the right side overflows leading to a wrong result of the > comparison and subsequently a heap buffer overflow. > > Signed-off-by: Andreas Cadhalpun > --- > libavformat/jvdec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c > index 4d4f0c7..a31c723 100644 > --- a/libavformat/jvdec.c > +++ b/libavformat/jvdec.c > @@ -54,7 +54,7 @@ typedef struct JVDemuxContext { > > static int read_probe(AVProbeData *pd) > { > -if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= > pd->buf_size - 4 && > +if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= > pd->buf_size && > !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) > return AVPROBE_SCORE_MAX; > return 0; > -- > 2.6.1 > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > lgtm ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison
On Fri, Nov 06, 2015 at 09:11:40PM +0100, Andreas Cadhalpun wrote: > Subject: [FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison *unsigned [...] Timothy ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
[FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size is 3, the right side overflows leading to a wrong result of the comparison and subsequently a heap buffer overflow. Signed-off-by: Andreas Cadhalpun--- libavformat/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 4d4f0c7..a31c723 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct JVDemuxContext { static int read_probe(AVProbeData *pd) { -if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && +if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; -- 2.6.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel