On 01/13/2013 09:09 AM, Luca Barbato wrote: > Context https://bugzilla.libav.org/show_bug.cgi?id=420 > > We have different problems with that sample: > > - the mov demuxer ends up sending a huge packet because of a misparsing > > - the packet size * 8 overflows the integer and init_get_bits doesn't > return errors. > > - show_bits just segfaults on nulled context > > So far I have this naive solution: > > -static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, > +static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, > int bit_size) > { > int buffer_size = (bit_size+7)>>3; > + int ret = 0; > if (buffer_size < 0 || bit_size < 0) { > buffer_size = bit_size = 0; > buffer = NULL; > + ret = AVERROR_INVALIDDATA; > } > > s->buffer = buffer; > @@ -383,6 +385,7 @@ static inline void init_get_bits(GetBitContext *s, > const uint8_t *buffer, > #endif > s->buffer_end = buffer + buffer_size; > s->index = 0; > + return ret; > } > > And it works decently w/out having an incredible impact on performance, > still show_bits can crash. > > I hadn't checked if we can do something on the mov demuxer yet.
Probably a good idea anyway (or at least an assert) but it seems fragile as a solution to this specific problem. Why not check before the overflow instead of after? -Justin _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
