Closed
Description
The stack buffer overflow occurs here:
sps->poc_cycle_length = bs_get_ue(bs);
for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
I don't know exactly how bs_get_ue works, but it seems to return a u32. The size of offset_for_ref_frame is only 256 entries, so we can get this to overflow. The sps variable is a stack variable that comes from a parent function, for example in avcc_Read.
Using this bug, I can craft an MP4 file that can overwrite anything above this variable in the stack, such as other fields in AVC_SPS, stack variables, etc.
Metadata
Metadata
Assignees
Labels
No labels