[vlc-devel] [PATCH] packetizer/h264: fix 17585: prevent overflow leading to crash

Filip Roséen filip at atch.se
Fri Nov 4 11:24:03 CET 2016


Hi Francois,

On 2016-11-04 11:15, Francois Cartegnie wrote:

> Le 01/11/2016 à 03:23, Filip Roséen a écrit :
> 
> > -        msg_Dbg( p_dec, "found NAL_PPS (pps_id=%d sps_id=%d)", p_pps->i_id, p_pps->i_sps_id );
> > +    {
> > +        msg_Dbg( p_dec, "found NAL_PPS (pps_id=%" PRIu32 " sps_id=%" PRIu32 ")",
> > +            p_pps->i_id, p_pps->i_sps_id );
> > +    }
> > +
> >      p_sys->b_pps = true;
> 
> That fix in incorrect and allows overflows, thus not detecting broken
> SPS, which would be passed to decoder.

If you do not mind me asking;

 - where does the patch allow for an overflow to occur?

> Also keeps bloating structs without reason. No id will ever require more
> than 1 byte.

Yes, one could have split up the read and assignment to the structure,
but I was looking for the least intrusive change (that would still
allow for correct behavior) while also honoring the specification in
terms of how things are structured.

> Francois
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20161104/55c87eeb/attachment.html>


More information about the vlc-devel mailing list