Opened 20 years ago

Closed 20 years ago

#961 closed defect (fixed)

mythcommflag crash in mpeg2 decoding

Reported by: jwestfall@… Owned by: Isaac Richards
Priority: minor Milestone: unknown
Component: mythtv Version: head
Severity: low Keywords:
Cc: Ticket locked: no

Description

I got a reproducable segfault in a recording attaching gdb output. seems to be buf_ptr > buf_end, results in passing a negative input_size value to mpeg1_decode_picture().

Attachments (2)

gdb-commflag.txt (7.1 KB ) - added by jwestfall@… 20 years ago.
gdb output
mpeg12.diff (683 bytes ) - added by jwestfall@… 20 years ago.
patch that fixes

Download all attachments as: .zip

Change History (4)

by jwestfall@…, 20 years ago

Attachment: gdb-commflag.txt added

gdb output

comment:1 by jwestfall@…, 20 years ago

Hi

I believe the following code in find_start_code() is the culprit. 

static int find_start_code(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
{   
    const uint8_t *buf_ptr= *pbuf_ptr;

    buf_ptr++; //gurantees that -1 is within the array
    buf_end -= 2; // gurantees that +2 is within the array

    while (buf_ptr < buf_end) {
        if(*buf_ptr==0){
            while(buf_ptr < buf_end && buf_ptr[1]==0)
                buf_ptr++;

            if(buf_ptr[-1] == 0 && buf_ptr[1] == 1){
                *pbuf_ptr = buf_ptr+3;
                return buf_ptr[2] + 0x100;
            }
        }
        buf_ptr += 2;
    }

If the inner while loop fails because buf_ptr == buf_end, and the following if statement is true, the code will set *pbuf_ptr = buf_ptr+3 which is 1 byte past the real end of the buffer (buf_end+2).

attaching a patch that fixes the issue for me.

by jwestfall@…, 20 years ago

Attachment: mpeg12.diff added

patch that fixes

comment:2 by Isaac Richards, 20 years ago

Resolution: fixed
Status: newclosed

(In [8539]) Close #961 by applying patch (off-by one overread in libavcodec).

Jim, you should probably submit this upstream to the ffmpeg people.

Note: See TracTickets for help on using tickets.