Hi, 2012/2/29 Måns Rullgård <[email protected]>: > Vitor Sessak <[email protected]> writes: > >> On 02/29/2012 04:28 PM, Janne Grunau wrote: >>> On 2012-02-26 09:52:44 +0100, Vitor Sessak wrote: >>>> --- >>>> libavcodec/ra144dec.c | 2 ++ >>>> libavcodec/ra288.c | 2 ++ >>>> libavcodec/sipr.c | 2 ++ >>>> libavcodec/twinvq.c | 2 ++ >>>> 4 files changed, 8 insertions(+), 0 deletions(-) >>> >>> Why? >>> >>> Have you proofed that each of the decoder can't overread? >> >> Of course I did. I concede didn't do it with the AMRNB in my first >> patch. I was almost sure I saw the check when I reviewed it, but I was >> wrong. > > [...] > >>> I would say the decoders are not important enough and speed penalty >>> for audio doesn't matter enough to disable the safe bitstream reader. >> >> How hard is it to check a single constant value correctly? What is the >> use of the safe bitstream reader if the check is done right? > > There's much more to it than that. Almost anything using > variable-length codes will need more than a simple packet size check, or > a damaged/malicious bitstream may cause over-reads.
This is the concern that I have also... We really want almost-academic sort of proof that the decoder can not possibly ever consume more than X bits of data from /dev/random per single decoding iteration before unsetting the safe bitstream reader flag. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
