#274 indeo3 decoder reads past buffer
Bug indeo3 decoder reads past buffer
CVS Version: FFMpeg-20050303
Input File:
http://217.153.29.18/%7Emichal/dec/japan/Sonic%20CD.avi
Objective: Decode all video frames as shown in example
by Martin Bohme
Problem:
Program received signal SIGSEGV, Segmentation fault.
0x08134940 in iv_Decode_Chunk (s=0x9081ed0,
cur=0x9086c00 '\024' <repeats 200 times>...,
ref=0x908b7a0 "", width=160, height=120,
buf1=0x1e329457 <Address 0x1e329457 out of bounds>,
fflags2=0, hdr=0x90b7610
"\002\024&8J\\n\177\202\224Ś¸ĘÜî˙",
buf2=0x90b7764
"wmy|\204\207\217\205v\206|\203\201qrxy\200\200qu\177\204\213\213\177\203yrsno\201vy\203\204\177z{\205\200\211|{op|t\177xwtms\206\207\211\210\204{vz\203\210y\200\177wyzvyxsvo{\200yvtwnt\200\211\202uyn\202\202|\177}\177suyxu\202\204qr\203|wyz|\205\177y|z{~\177\202\204~wzz}\201\200\213\202\205\210\210\201\202\214\202ss}\203\207\220\222\203~\211|p\201\205\211\205yqtyz\207\200\200\201\211\221\232\227\223\201vpjy\202xzuu}\202\207\206\213\210\210\211\217\217\217\222\206\204\200{\204\211\214\203\211|"...,
min_width_160=160) at indeo3.c:355
355 bit_buf = *buf1++;
The offending code block is in indeo3.c:iv_decode_frame
buf_pos = buf + 16 + offs1;
offs = le2me_32(*(uint32_t *)buf_pos);
buf_pos += 4;
iv_Decode_Chunk(s, s->cur_frame->Ybuf,
s->ref_frame->Ybuf, hdr_width,
hdr_height, buf_pos + offs * 2, fflags2, hdr_pos,
buf_pos,
min(hdr_width, 160));
offs is read from the data buffer and used without any
bounds checking.
Patch:
Someone familiar with the codec logic needs to add
bounds checking.
(gdb) bt
#0 0x08134940 in iv_Decode_Chunk (s=0x9081ed0,
cur=0x9086c00 '\024' <repeats 200 times>...,
ref=0x908b7a0 "", width=160, height=120,
buf1=0x1e329457 <Address 0x1e329457 out of bounds>,
fflags2=0, hdr=0x90b7610
"\002\024&8J\\n\177\202\224Ś¸ĘÜî˙",
buf2=0x90b7764
"wmy|\204\207\217\205v\206|\203\201qrxy\200\200qu\177\204\213\213\177\203yrsno\201vy\203\204\177z{\205\200\211|{op|t\177xwtms\206\207\211\210\204{vz\203\210y\200\177wyzvyxsvo{\200yvtwnt\200\211\202uyn\202\202|\177}\177suyxu\202\204qr\203|wyz|\205\177y|z{~\177\202\204~wzz}\201\200\213\202\205\210\210\201\202\214\202ss}\203\207\220\222\203~\211|p\201\205\211\205yqtyz\207\200\200\201\211\221\232\227\223\201vpjy\202xzuu}\202\207\206\213\210\210\211\217\217\217\222\206\204\200{\204\211\214\203\211|"...,
min_width_160=160) at indeo3.c:355
#1 0x0813466a in iv_decode_frame (s=0x9081ed0,
buf=0x90b75e0 "\026", buf_size=1335) at indeo3.c:229
#2 0x08137766 in indeo3_decode_frame (avctx=0x9080068,
data=0x9091e40, data_size=0xfef098dc,
buf=0x90b75e0 "\026", buf_size=1335) at indeo3.c:1084
#3 0x0807f63d in avcodec_decode_video
(avctx=0x9080068, picture=0x9091e40,
got_picture_ptr=0xfef098dc,
buf=0x90b75e0 "\026", buf_size=1335) at utils.c:595
This Sourceforge bug tracker here has been abandoned many years ago.
Our new tracker can be found through http://www.ffmpeg.org/bugreports.html