Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Simon Kilvington <s.kilvington <at> eris.qinetiq.com>
Subject: PIX_FMT_PAL8 seg fault
Newsgroups: gmane.comp.video.ffmpeg.devel
Date: Wednesday 30th November 2005 14:11:08 UTC (over 11 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

	there is a bug in libavcodec when it decodes small (eg 1x1)
PIX_FMT_PAL8 format images - the get_buffer function
avcodec_default_get_buffer doesn't alloc enough space for the palette
entries, so when the palette data gets copied into the data[1] array it
overflows the buffer on the heap and causes a seg fault the next time
you use free/malloc (actually it does alloc enough space in base[1], but
data[1] points to the middle of the buffer, so it overflows)

	this is probably exploitable

	you can trigger the bug by using avcodec_decode_video to read a
1x1 PNG file with a palette, calling avcodec_close afterwards causes a
seg fault in glibc inside free

	I've attached a patch to fix it, it works for me, but it's a bit
of a hack so someone who knows more about libavcodec probably should
have a look at it

	I've also attached a PNG file that will trigger it - this PNG
file is currently being broadcast on a DVB carousel to everyone in the
UK, so it's not some contrived example

- --
Simon Kilvington


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDjbLbmt9ZifioJSwRAnXSAJoCdvD8V/AvFcYLWmoqnNRNShwk1wCeMfZu
BXfUVegK2/7iNb9spsJ9wCs=
=uphk
-----END PGP SIGNATURE-----
 
CD: 3ms