[vlc-devel] Re: [RFC] VLC denial of service bugs

Rémi Denis-Courmont rem at videolan.org
Wed Jan 17 17:59:33 CET 2007

Le mardi 16 janvier 2007 01:29, Christophe Massiot a écrit :
> Unfortunately checking the boundaries of every motion vector is quite
> CPU-intensive (add several conditional branches in the macroblock
> loop, which is the main loop...), therefore walken decided against
> adding those checks. Some people may debate whether it is still
> appropriate now that a single core can decode 100 MPEG-2 streams in
> parallel, but bear in mind that it not that over-powered with
> 1920x1080 HDTV content (yet).

If the potential overflow range is limited, it might be faster to simply 
add dummy margin to the buffers. Of course, it might not be "limited".

> It is interesting to notice that the segmentation fault is a read
> error (outside of the reference picture) but in no way the bug allows
> to write to random locations.

It might be acceptable to have a buffer underflow when reading a file 
locally, but it is not appropriate at all for a transcoding server.

> Walken suggested (but never wrote the 
> code) to set a signal handler on SIGSEGV, and whenever it got
> triggered, to longjmp to a safe location and resync on the next slice
> start code. Such approach has drawbacks too : playing with
> sighandlers in a lib is rarely a good idea, especially within
> multi-threaded programs, and I don't know if there is an equivalent
> under non-UNIX operating systems.

AFAIK, you can catch SIGSEGV, but the state of the system upon return 
from the signal handler is undefined (read: not at all portable). This 
has been the topic of a whole article on Phrack a few years ago.

Rémi Denis-Courmont
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20070117/33916ac4/attachment.sig>

More information about the vlc-devel mailing list