FFmpeg commit logs

kostya | 1 Nov 2007 10:02

r10892 - trunk/libavformat/rmdec.c

Author: kostya
Date: Thu Nov  1 10:02:29 2007
New Revision: 10892

Log:
Revert get_num() to old behaviour in order to handle
incorrect RMs generated by lavf muxer.

Modified:
   trunk/libavformat/rmdec.c

Modified: trunk/libavformat/rmdec.c
==============================================================================
--- trunk/libavformat/rmdec.c	(original)
+++ trunk/libavformat/rmdec.c	Thu Nov  1 10:02:29 2007
 <at>  <at>  -366,7 +366,7  <at>  <at>  static int get_num(ByteIOContext *pb, in

     n = get_be16(pb);
     (*len)-=2;
-    n &= 0x7FFF;
+//    n &= 0x7FFF;
     if (n >= 0x4000) {
         return n - 0x4000;
     } else {

headers

Michael Niedermayer | 1 Nov 2007 16:41

Re: r10892 - trunk/libavformat/rmdec.c

Hi

On Thu, Nov 01, 2007 at 10:02:29AM +0100, kostya wrote:
> Author: kostya
> Date: Thu Nov  1 10:02:29 2007
> New Revision: 10892
> 
> Log:
> Revert get_num() to old behaviour in order to handle
> incorrect RMs generated by lavf muxer.
> 
> 
> Modified:
>    trunk/libavformat/rmdec.c
> 
> Modified: trunk/libavformat/rmdec.c
> ==============================================================================
> --- trunk/libavformat/rmdec.c	(original)
> +++ trunk/libavformat/rmdec.c	Thu Nov  1 10:02:29 2007
>  <at>  <at>  -366,7 +366,7  <at>  <at>  static int get_num(ByteIOContext *pb, in
>  
>      n = get_be16(pb);
>      (*len)-=2;
> -    n &= 0x7FFF;
> +//    n &= 0x7FFF;

it seems the seek regression tests still fail also
this cannot _fix_ the crash, as simply storing the & 0x7FFF
should still crash, its just a workaround

(Continue reading)

headers

Kostya | 1 Nov 2007 19:22

Re: r10892 - trunk/libavformat/rmdec.c

On Thu, Nov 01, 2007 at 04:41:07PM +0100, Michael Niedermayer wrote:
> Hi
> 
> On Thu, Nov 01, 2007 at 10:02:29AM +0100, kostya wrote:
> > Author: kostya
> > Date: Thu Nov  1 10:02:29 2007
> > New Revision: 10892
> > 
> > Log:
> > Revert get_num() to old behaviour in order to handle
> > incorrect RMs generated by lavf muxer.
> > 
> > 
> > Modified:
> >    trunk/libavformat/rmdec.c
> > 
> > Modified: trunk/libavformat/rmdec.c
> > ==============================================================================
> > --- trunk/libavformat/rmdec.c	(original)
> > +++ trunk/libavformat/rmdec.c	Thu Nov  1 10:02:29 2007
> >  <at>  <at>  -366,7 +366,7  <at>  <at>  static int get_num(ByteIOContext *pb, in
> >  
> >      n = get_be16(pb);
> >      (*len)-=2;
> > -    n &= 0x7FFF;
> > +//    n &= 0x7FFF;
> 
> it seems the seek regression tests still fail also
> this cannot _fix_ the crash, as simply storing the & 0x7FFF
> should still crash, its just a workaround

(Continue reading)

headers

Rich Felker | 1 Nov 2007 18:52

Re: r10892 - trunk/libavformat/rmdec.c

On Thu, Nov 01, 2007 at 08:22:44PM +0200, Kostya wrote:
> alternative patches to fix muxer. After that I may add a stricter check
> for input values (so incorrect length/pos values will be caught and
> reported).

This is the only part that's relevant and it's a critical probably
vulnerable bug. Please fix it immediately! You cannot use any value
obtained from a file without strict checking!

Rich