[FFmpeg-cvslog] lcl: error out if uncompressed input buffer is smaller than framesize.
Ronald S. Bultje
git at videolan.org
Mon Apr 2 01:45:10 CEST 2012
ffmpeg | branch: release/0.8 | Ronald S. Bultje <rsbultje at gmail.com> | Thu Feb 23 16:09:36 2012 -0800| [d10c22d33ce3d134025bc7fb0b2acbd58a0cef50] | committer: Reinhard Tartler
lcl: error out if uncompressed input buffer is smaller than framesize.
This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea)
Signed-off-by: Anton Khirnov <anton at khirnov.net>
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d10c22d33ce3d134025bc7fb0b2acbd58a0cef50
---
libavcodec/lcldec.c | 23 ++++++++++++++++++++++-
1 files changed, 22 insertions(+), 1 deletions(-)
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
index 70414d4..017df55 100644
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
len = mszh_dlen;
}
break;
- case COMP_MSZH_NOCOMP:
+ case COMP_MSZH_NOCOMP: {
+ int bppx2;
+ switch (c->imgtype) {
+ case IMGTYPE_YUV111:
+ case IMGTYPE_RGB24:
+ bppx2 = 6;
+ break;
+ case IMGTYPE_YUV422:
+ case IMGTYPE_YUV211:
+ bppx2 = 4;
+ break;
+ case IMGTYPE_YUV411:
+ case IMGTYPE_YUV420:
+ bppx2 = 3;
+ break;
+ default:
+ bppx2 = 0; // will error out below
+ break;
+ }
+ if (len < ((width * height * bppx2) >> 1))
+ return AVERROR_INVALIDDATA;
break;
+ }
default:
av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n");
return -1;
More information about the ffmpeg-cvslog
mailing list