[XviD-devel] bug in xvid decoder when parsing input bitstream

Greg Handi notarealaccount at yahoo.com
Thu Sep 7 02:05:56 CEST 2006 

I believe this is another bug (in decoder_decode):

    if (coding_type == -3)
      decoder_resize(dec);

There is no check if the resize call had a memory error and tore down
the various buffers and freed all the memory.  I think it should be
like this instead:

    if (coding_type == -3) {
      int error = decoder_resize(dec);
      if (error) return error;
    }

I'm not sure if I missed something that might need to occur before
returning if the error occurs but it needs to return the error.


--- Michael Militzer <michael at xvid.org> wrote:

> Hello,
> 
> We've committed a fix to bitstream.h file on cvs head. If
> XVID_SAFE_BS_TAIL
> flag is defined (disabled by default) a cross check is performed
> before
> accessing *(bs->tail+2).
> 
> However, this additional check will cost performance. Hence, we
> recommend
> you should not use the XVID_SAFE_BS_TAIL flag but instead pad your
> input
> buffer to 8 bytes if possible. Only if not doable, you should try
> XVID_SAFE_BS_TAIL.
> 
> Regards,
> Michael
> 
> 
> Quoting liang jian <jianliang79 at gmail.com>:
> 
> > Hello every one, I have found a bug in xvid decoder when parsing
> input
> > bitstream, this bug can be reproduced through the following steps:
> >
> > 1) prepare a 16 x 16 image with YUY2 video format, clear it with
> black
> > color(y = 16, cb = cr = 128)
> >
> > 2) encode this image into an I-frame using xvid(simple profile
> level 3), the
> > coded stream is 52 bytes long.
> >
> > 3) allocate one page using VirtualAlloc (use mmap in linux), copy
> the
> > encoded stream to the end of this page.
> >
> > 4) decode the encoded stream in that page using xvid, an read
> access
> > violation occurs in BitstreamSkip() function when it execute the
> following
> > line:
> >    tmp = *((uint32_t *) bs->tail + 2);
> >
> > BitstreamSkip() function update bit position in the bitstream, and
> always
> > read a uint32_t value which is next to the uint32_t value contains
> the
> > current bit position, when decoder reach the end of the stream,
> > BitstreamSkip() will unavoidably read the memory which address is
> bigger
> > than the last byte of the input stream(and in the above case this
> addreass
> > is an invalid address).
> >
> >
> > the code is attached.
> 
> 
> 
> 
> _______________________________________________
> XviD-devel mailing list
> XviD-devel at xvid.org
> http://list.xvid.org/mailman/listinfo/xvid-devel
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the XviD-devel mailing list