From patchwork Wed Dec 14 23:38:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wolenetz X-Patchwork-Id: 1788 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.65.86 with SMTP id o83csp445513vsa; Wed, 14 Dec 2016 15:39:08 -0800 (PST) X-Received: by 10.194.14.73 with SMTP id n9mr101118235wjc.189.1481758748844; Wed, 14 Dec 2016 15:39:08 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u16si9724121wma.110.2016.12.14.15.39.08; Wed, 14 Dec 2016 15:39:08 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1EF666897E2; Thu, 15 Dec 2016 01:39:01 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-it0-f48.google.com (mail-it0-f48.google.com [209.85.214.48]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6F6BF687EE8 for ; Thu, 15 Dec 2016 01:38:54 +0200 (EET) Received: by mail-it0-f48.google.com with SMTP id y23so15148207itc.0 for ; Wed, 14 Dec 2016 15:39:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=+4MD1VKiTnb/urE6tNIM3wzO1A9gKPqFg4Ur6IkoNuk=; b=vmgypxPBivoZmiZARQah++Cos6bWm+rF3mStXIsEKSdCobp7AQSRXzyu4GEKSMi7pj g595TnK3lXetIi46ECwuoqyO1dkknc9UwmHrafWgHFrIckIiDAGsaCPN5TklJKgmshHT uEO9XrO3bl0LMvEAn6V5kaMTKKCHlVI+0Zh3WRxpMvhQ5378/9aIEfUM6GFykDC2m7h3 ImPf/Dmw2tfrDlngpFRl8dBNqXOKLssQIgbr2P31sQz7M3cX9HSK2K7MDkcCXLCx+zl4 0N69Riw0iBjFMAYVeLuRrGCXtBQ0z4Uy7Jj9pzQlcyMiVSvAwWjPJw8U4cuNg2oTQTeQ OIyw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:from:date:message-id:subject:to; bh=+4MD1VKiTnb/urE6tNIM3wzO1A9gKPqFg4Ur6IkoNuk=; b=fXkBNb5pJmu/g5wEwvCsASl0s7c6TvVPAYSN8zbwgz7KltfFzx0xijNzD/DhIXgoq4 vJ3O1zZZE7A28adkDgoyKcmuvr1CF/B+P5T0pr1hPzqKqMKygoPP1dVgbHW/CxPuLkMj /LxUt5GEcsohmfvIW8zy5lZFXYB1E1KsLP/q8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=+4MD1VKiTnb/urE6tNIM3wzO1A9gKPqFg4Ur6IkoNuk=; b=aFpdCbvrGMQ7MaZeDkImANZ9XKBccfC3CcHogLlycr/IKRwsXck2goayGiBuNSysgX cU8887+jwITWCAfoolVez3zKPtgwRglgiRJuex6LVKDVKWauRUnwICJjBsvnrp3ie6mp kKnvfgzZXohaHXESb4RohW0f7bAiZKw0JYVz3aMVwOjEgANoeR9kOyta7HlNDzUPxNHO wy19bSyA0qsbHWqvjScnuZNg6ErK+JeEUacWk3TwdFLvMP/IGHCr1/plvqIi8BNNIfwY v2neh3N7pmWHmHyWAW9x53hmsTsN3Cd4mrW9G3+DV3HBX+kmGiQxoCmoaxPwSR8TRdpZ syOw== X-Gm-Message-State: AKaTC02a4qxJ+D4C0lh7fJ4VQwo9C+Oe5OVKJXmP+q59AWXaaSqUH6pObKNToxLcaCm5L8EMXGqAfQSCW+j4bx0v X-Received: by 10.36.61.207 with SMTP id n198mr10288176itn.60.1481758738925; Wed, 14 Dec 2016 15:38:58 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a17:908:2cd5:0:0:0:0 with HTTP; Wed, 14 Dec 2016 15:38:18 -0800 (PST) From: Matthew Wolenetz Date: Wed, 14 Dec 2016 15:38:18 -0800 X-Google-Sender-Auth: iUphst8W4zn4VDOxlYc-0oUaATQ Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [PATCH] lavf/utils.c Protect against accessing entries[nb_entries] X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" In ff_index_search_timestamp(), if b == num_entries, m == num_entries - 1, and entries[m].flags & AVINDEX_DISCARD_FRAME is true, then the search for the next non-discarded packet could access entries[nb_entries], exceeding its bounds. This change adds a protection against that scenario. Reference: https://crbug.com/666770 From e91355afac548fbc7cc0cb4ecbc06dce6495df80 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Mon, 21 Nov 2016 15:54:02 -0800 Subject: [PATCH] lavf/utils.c Protect against accessing entries[nb_entries] In ff_index_search_timestamp(), if b == num_entries, m == num_entries - 1, and entries[m].flags & AVINDEX_DISCARD_FRAME is true, then the search for the next non-discarded packet could access entries[nb_entries], exceeding its bounds. This change adds a protection against that scenario. Reference: https://crbug.com/666770 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fb17423..b2d25eb 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1968,7 +1968,7 @@ int ff_index_search_timestamp(const AVIndexEntry *entries, int nb_entries, m = (a + b) >> 1; // Search for the next non-discarded packet. - while ((entries[m].flags & AVINDEX_DISCARD_FRAME) && m < b) { + while ((entries[m].flags & AVINDEX_DISCARD_FRAME) && m < b && m < nb_entries - 1) { m++; if (m == b && entries[m].timestamp >= wanted_timestamp) { m = b - 1; -- 2.8.0.rc3.226.g39d4020