[XviD-devel] Fw: buffer overflow in userdata parser

[suxen_drol]

Forwarded by suxen_drol <suxen_drol at hotmail.com>
----------------------- Original Message -----------------------
 From:    pete <pross at xvid.org>
 To:      xvid-devel at xvid.org
 Date:    Tue, 18 Jan 2005 23:21:30 +1100
 Subject: buffer overflow in userdata parser
----

hi,

having just reviewed the userdata parsing code,
there appears to be a buffer overflow error when
the userdata is 256 bytes or more. patch below.

side note: isn't 256 bytes overkill. the largest
string we have to process is going to be
something like "DivX503Build99999p". even in we
extend the integers to 2^32, there still less
than 32 bytes to process..

diff -u -r1.48 bitstream.c
--- bitstream.c	5 Dec 2004 13:56:13 -0000	1.48
+++ bitstream.c	17 Jan 2005 06:50:08 -0000
@@ -981,16 +981,17 @@
 			return coding_type;
 
 		} else if (start_code == USERDATA_START_CODE) {
-			char tmp[256];
+#define USERDATA_LEN  256
+			char tmp[USERDATA_LEN];
 		    int i, version, build;
 			char packed;
 
 			BitstreamSkip(bs, 32);	/* user_data_start_code */
 
-			memset(tmp, 0, 256);
+			memset(tmp, 0, USERDATA_LEN);
 			tmp[0] = BitstreamShowBits(bs, 8);
 
-			for(i = 1; i < 256; i++){
+			for(i = 1; i < USERDATA_LEN - 1; i++){
 				tmp[i] = (BitstreamShowBits(bs, 16) & 0xFF);
 
 				if(tmp[i] == 0)


-- pete

--------------------- Original Message Ends --------------------

-- pete