diff mbox

[FFmpeg-devel,2/2,monvenc] Add extra padding when allocating trk->vos_data

Message ID 20190926175853.23260-1-tfoucu@gmail.com
State New
Headers show

Commit Message

Thierry Foucu Sept. 26, 2019, 5:58 p.m. UTC
trk->vos_data is mostly used to store the extradata from the codec.
Most encoder when storing their extradata, are allocating with padding.
But the current code was ignoring the padding, which could causes
heap-buffer-overflow
---
 libavformat/movenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Almer Sept. 26, 2019, 6 p.m. UTC | #1
On 9/26/2019 2:58 PM, Thierry Foucu wrote:
> trk->vos_data is mostly used to store the extradata from the codec.
> Most encoder when storing their extradata, are allocating with padding.
> But the current code was ignoring the padding, which could causes
> heap-buffer-overflow
> ---
>  libavformat/movenc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/movenc.c b/libavformat/movenc.c
> index e095af0972..11cf1a13a9 100644
> --- a/libavformat/movenc.c
> +++ b/libavformat/movenc.c
> @@ -5378,7 +5378,7 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
>          !TAG_IS_AVCI(trk->tag) &&
>          (par->codec_id != AV_CODEC_ID_DNXHD)) {
>          trk->vos_len  = par->extradata_size;
> -        trk->vos_data = av_malloc(trk->vos_len);
> +        trk->vos_data = av_mallocz(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE);
>          if (!trk->vos_data) {
>              ret = AVERROR(ENOMEM);
>              goto err;

See
http://lists.ffmpeg.org/pipermail/ffmpeg-devel/2019-September/250522.html
Thierry Foucu Sept. 26, 2019, 6:03 p.m. UTC | #2
On Thu, Sep 26, 2019 at 11:00 AM James Almer <jamrial@gmail.com> wrote:

> On 9/26/2019 2:58 PM, Thierry Foucu wrote:
> > trk->vos_data is mostly used to store the extradata from the codec.
> > Most encoder when storing their extradata, are allocating with padding.
> > But the current code was ignoring the padding, which could causes
> > heap-buffer-overflow
> > ---
> >  libavformat/movenc.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavformat/movenc.c b/libavformat/movenc.c
> > index e095af0972..11cf1a13a9 100644
> > --- a/libavformat/movenc.c
> > +++ b/libavformat/movenc.c
> > @@ -5378,7 +5378,7 @@ int ff_mov_write_packet(AVFormatContext *s,
> AVPacket *pkt)
> >          !TAG_IS_AVCI(trk->tag) &&
> >          (par->codec_id != AV_CODEC_ID_DNXHD)) {
> >          trk->vos_len  = par->extradata_size;
> > -        trk->vos_data = av_malloc(trk->vos_len);
> > +        trk->vos_data = av_mallocz(trk->vos_len +
> AV_INPUT_BUFFER_PADDING_SIZE);
> >          if (!trk->vos_data) {
> >              ret = AVERROR(ENOMEM);
> >              goto err;
>
> See
> http://lists.ffmpeg.org/pipermail/ffmpeg-devel/2019-September/250522.html



Thanks James.
ignore this patch then..


>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff mbox

Patch

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index e095af0972..11cf1a13a9 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -5378,7 +5378,7 @@  int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
         !TAG_IS_AVCI(trk->tag) &&
         (par->codec_id != AV_CODEC_ID_DNXHD)) {
         trk->vos_len  = par->extradata_size;
-        trk->vos_data = av_malloc(trk->vos_len);
+        trk->vos_data = av_mallocz(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE);
         if (!trk->vos_data) {
             ret = AVERROR(ENOMEM);
             goto err;