After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 173044 - [PATCH to ffmpeg] Memory error in mjpeg_decode_frame
[PATCH to ffmpeg] Memory error in mjpeg_decode_frame
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-libav
git master
Other Linux
: Normal normal
: 0.8.5
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2005-04-08 10:37 UTC by Luca Ognibene
Modified: 2005-04-09 07:46 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
correct patch (521 bytes, patch)
2005-04-08 11:07 UTC, Ronald Bultje 		none Details | Review

Description Luca Ognibene 2005-04-08 10:37:22 UTC 
In the function mjpeg_decode_frame (mjpeg.c):
  buf_ptr = buf;
  buf_end = buf + buf_size; 
but in find_marker:
  while (buf_ptr < buf_end) {
        v = *buf_ptr++;
	v2 = *buf_ptr;
  ...
So if buf_ptr == (buf_end - 1), v2 = buf_ptr[buf_end] and this gives [Invalid
read of size 1]. I think that buf_end should be declared as
  buf_end = buf + buf_size - 1;
Comment 1 Ronald Bultje 2005-04-08 11:02:17 UTC 
Then it won't read the last v.

if (buf_ptr != buf_end)
  v2 = *buf_ptr;

sounds like a better fix, although it adds quite some cycles...
Comment 2 Ronald Bultje 2005-04-08 11:04:40 UTC 
Hm, nm, you're correct.
Comment 3 Ronald Bultje 2005-04-08 11:07:12 UTC 
Created attachment 39832 [details] [review]
correct patch

This should prevent the memory overrun but still work fine for any input
Comment 4 Luca Ognibene 2005-04-08 12:56:11 UTC 
Ok, it works for me. I was thinking that:
  buf_ptr = pointer to the start of the buffer
  buf_end = pointer to the last byte of the buffer
and so size would be (end - start + 1). Instead it seems
that buf_end is "pointer to the last bye of the buffer + 1".
Comment 5 Ronald Bultje 2005-04-08 19:55:47 UTC 
Fixed.