diff mbox

[FFmpeg-devel] Fix heap buffer overflow in ff_combine_frame

Message ID 20180626110238.23761-1-sploving1@gmail.com
State New
Headers show

Commit Message

Baozeng Ding June 26, 2018, 11:02 a.m. UTC 
Signed-off-by: Baozeng Ding <sploving1@gmail.com>
---
 libavcodec/parser.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

Michael Niedermayer June 26, 2018, 5:29 p.m. UTC | #1 
On Tue, Jun 26, 2018 at 07:02:38PM +0800, Baozeng Ding wrote:
> Signed-off-by: Baozeng Ding <sploving1@gmail.com>
> ---
>  libavcodec/parser.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)

This looks wrong. The input must have AV_INPUT_BUFFER_PADDING_SIZE
allocated at the end.

Is the buffer you pass into the parser large enough ?
this and the source code ive seen looked like it is too small

thanks

[...]
Baozeng Ding Aug. 10, 2018, 8:35 a.m. UTC | #2 
I do not agree with you. We cannot trust any user input.

2018-06-27 1:29 GMT+08:00 Michael Niedermayer <michael@niedermayer.cc>:

> On Tue, Jun 26, 2018 at 07:02:38PM +0800, Baozeng Ding wrote:
> > Signed-off-by: Baozeng Ding <sploving1@gmail.com>
> > ---
> >  libavcodec/parser.c | 10 +++++++---
> >  1 file changed, 7 insertions(+), 3 deletions(-)
>
> This looks wrong. The input must have AV_INPUT_BUFFER_PADDING_SIZE
> allocated at the end.
>
> Is the buffer you pass into the parser large enough ?
> this and the source code ive seen looked like it is too small
>
> thanks
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> I know you won't believe me, but the highest form of Human Excellence is
> to question oneself and others. -- Socrates
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>
Hendrik Leppkes Aug. 10, 2018, 9:24 a.m. UTC | #3 
On Fri, Aug 10, 2018 at 10:41 AM Baozeng <sploving1@gmail.com> wrote:
>
> I do not agree with you. We cannot trust any user input.
>

The API requires this, if this is not fullfilled then the user
application is buggy, not avcodec.

PS:
Please don't top post on this ML.

- Hendrik
Baozeng Ding Aug. 10, 2018, 9:45 a.m. UTC | #4 
Sorry. I do not understand the API. I will learn it later. Thank you.

2018-08-10 17:24 GMT+08:00 Hendrik Leppkes <h.leppkes@gmail.com>:

> On Fri, Aug 10, 2018 at 10:41 AM Baozeng <sploving1@gmail.com> wrote:
> >
> > I do not agree with you. We cannot trust any user input.
> >
>
> The API requires this, if this is not fullfilled then the user
> application is buggy, not avcodec.
>
> PS:
> Please don't top post on this ML.
>
> - Hendrik
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
diff mbox

Patch

diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index f43b197..a9786af 100644
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -355,6 +355,7 @@  int ff_combine_frame(ParseContext *pc, int next,
 
     av_assert0(next >= 0 || pc->buffer);
 
+    int origin_buf_size = *buf_size;
     *buf_size          =
     pc->overread_index = pc->index + next;
 
@@ -370,9 +371,12 @@  int ff_combine_frame(ParseContext *pc, int next,
             return AVERROR(ENOMEM);
         }
         pc->buffer = new_buffer;
-        if (next > -AV_INPUT_BUFFER_PADDING_SIZE)
-            memcpy(&pc->buffer[pc->index], *buf,
-                   next + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (next > -AV_INPUT_BUFFER_PADDING_SIZE) {
+            int copy_len = next + AV_INPUT_BUFFER_PADDING_SIZE;
+            if (next + AV_INPUT_BUFFER_PADDING_SIZE > origin_buf_size)
+                copy_len = origin_buf_size;
+            memcpy(&pc->buffer[pc->index], *buf, copy_len);
+        }
         pc->index = 0;
         *buf      = pc->buffer;
     }