Invalid write in dvbsubdec.c

[dm@…]

I was playing a recording I made a while ago and found that it was repeatably crashing the frontend. The recording was somewhat noisy and reported various ac-tex damaged and mb incr damaged errors but I wouldn't have expected it to crash. Under gdb it looked that it might be a double-free problem so I ran the frontend under valgrind and it reported invalid writes in dvbsub_parse_pixel_data_block. I'm attaching the valgrind log. This is SVN 9744. David.

[dm@…]

I just noticed the following in the log: [dvbsub @ 0x4e0b18c]Junk in packet DVBSub error: line overflow DVBSub error: line overflow [dvbsub @ 0x4e0b18c]Invalid object location! [dvbsub @ 0x4e0b18c]Invalid object location!

I guess it's not recovering correctly from the error. The full log is attached. David.

[danielk]

David, can you debug this? Having the broken file is a prerequisite for debugging this.

First look to see if it is possible to CRC check the segments in the dvbsub_decode loop. If not, just make those functions watertight. Unfortunately, it doesn't look like there are any fixes in ffmpeg cvs.

[dm@…]

I couldn't see any way to use CRC checking there but I did discover an error in the bounds checking in dvbsubdec.c that meant that an invalid value wasn't being rejected properly. The patch (one line) is attached. With this patch applied the file plays without crashing or upsetting valgrind. With subtitles enabled it looks like one sentence of the subtitling is lost but otherwise it's fine.

David

[danielk]

(In [9780]) Closes #1708. Fixes bounds checking in dvb subtitle code, thanks to patch from David Matthews.

Dave, can you send this patch to the ffmpeg mailing list as well, so that this gets applied upstream?