Re: [FFmpeg-devel] [libav-devel] [PATCH] alsdec: validate time diff index

Mon, 20 Apr 2015 14:21:06 -0700 

On 19.04.2015 22:20, Luca Barbato wrote:
> On 18/04/15 18:58, Andreas Cadhalpun wrote:
>> If begin is smaller than t, the subtraction 'begin -= t' wraps around,
>> because begin is unsigned. The same applies for end < t.
>>
>> This causes segmentation faults.
> 
> Actually, the access to raw_buffer seems a bit optimistic all over this
> code.
> 
> I'd check that `master` is always between `raw_buffer` and the end of it.

You mean something like the attached patch?

> (I'm not sure if `div_blocks` is validated before, same for `offset`)

That should catch problems in those as well.

Best regards,
Andreas

>From 5b0a985130f94c887c40028f5549a29576a26991 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Mon, 20 Apr 2015 23:14:28 +0200
Subject: [PATCH] alsdec: check sample pointer range in
 revert_channel_correlation

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/alsdec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index c81db18..a14761c 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1246,6 +1246,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
     ALSChannelData *ch = cd[c];
     unsigned int   dep = 0;
     unsigned int channels = ctx->avctx->channels;
+    unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order;
 
     if (reverted[c])
         return 0;
@@ -1303,6 +1304,15 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd,
                 end   -= t;
             }
 
+            if (master + FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer ||
+                master + FFMAX(end + 1,   end + 1 + t)   > ctx->raw_buffer + channels * channel_size) {
+                    av_log(ctx->avctx, AV_LOG_ERROR,
+                           "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n",
+                           master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1,   end + 1 + t),
+                           ctx->raw_buffer, ctx->raw_buffer + channels * channel_size);
+                    return AVERROR_INVALIDDATA;
+                }
+
             for (smp = begin; smp < end; smp++) {
                 y  = (1 << 6) +
                      MUL64(ch[dep].weighting[0], master[smp - 1    ]) +
-- 
2.1.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to