Xvid-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Original]

[XviD-devel] bug in xvid decoder when parsing input bitstream

To: xvid-devel@xxxxxxxx
Subject: [XviD-devel] bug in xvid decoder when parsing input bitstream
From: "liang jian" <jianliang79@xxxxxxxxx>
Date: Tue, 29 Aug 2006 16:12:13 +0800
Delivered-to: itdp@localhost
Delivered-to: xvid-devel@s8.lansco.de
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:to:subject:mime-version:content-type;b=Zs5h1PM2LKzXSF8+QJQ/NV2WEbK8d5A1ozV9oLXE6aUwBSO5Ny4LPcGqQmnPEXke1iSzjx/fi+1Cb8yEx9H3/FnlfU3mWD27PKaZnpBpJCgedVsiVUsYBYIQWK/ZRQAXlkerDyHCM3RbbW0hnHBVDTSqLiZI5LDlbJe4nRvi58U= 
Hello every one, I have found a bug in xvid decoder when parsing input
bitstream, this bug can be reproduced through the following steps:

1) prepare a 16 x 16 image with YUY2 video format, clear it with black
color(y = 16, cb = cr = 128)

2) encode this image into an I-frame using xvid(simple profile level 3), the
coded stream is 52 bytes long.

3) allocate one page using VirtualAlloc (use mmap in linux), copy the
encoded stream to the end of this page.

4) decode the encoded stream in that page using xvid, an read access
violation occurs in BitstreamSkip() function when it execute the following
line:
   tmp = *((uint32_t *) bs->tail + 2);

BitstreamSkip() function update bit position in the bitstream, and always
read a uint32_t value which is next to the uint32_t value contains the
current bit position, when decoder reach the end of the stream,
BitstreamSkip() will unavoidably read the memory which address is bigger
than the last byte of the input stream(and in the above case this addreass
is an invalid address).


the code is attached.

Attachment: crash.c
Description: Text document

_______________________________________________
XviD-devel mailing list
XviD-devel@xxxxxxxx
http://list.xvid.org/mailman/listinfo/xvid-devel
[Prev in Thread] Current Thread [Next in Thread]