[FFmpeg-cvslog] exr: check if line offset table is complete only once per frame
Paul B Mahol
git at videolan.org
Fri Feb 22 20:34:59 CET 2013
ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Thu Feb 21 12:30:40 2013 +0000| [9c75c24de40d54948a3d39b11181c575875bdc7a] | committer: Paul B Mahol
exr: check if line offset table is complete only once per frame
Signed-off-by: Paul B Mahol <onemda at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9c75c24de40d54948a3d39b11181c575875bdc7a
---
libavcodec/exr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 0440e93..ab94ca0 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -245,6 +245,7 @@ static int decode_frame(AVCodecContext *avctx,
unsigned int ymin = ~0;
unsigned int ymax = ~0;
unsigned int xdelta = ~0;
+ unsigned int ydelta = ~0;
int out_line_size;
int bxmin, axmax;
@@ -362,6 +363,7 @@ static int decode_frame(AVCodecContext *avctx,
xmax = AV_RL32(buf + 8);
ymax = AV_RL32(buf + 12);
xdelta = (xmax-xmin) + 1;
+ ydelta = (ymax-ymin) + 1;
buf += variable_buffer_data_size;
continue;
@@ -517,10 +519,12 @@ static int decode_frame(AVCodecContext *avctx,
ptr += stride;
}
+ if (buf_end - buf < (ydelta + scan_lines_per_block - 1) / scan_lines_per_block * 8)
+ return AVERROR_INVALIDDATA;
+
// Process the actual scan line blocks
for (y = ymin; y <= ymax; y += scan_lines_per_block) {
uint16_t *ptr_x;
- if (buf_end - buf > 8) {
const uint8_t *red_channel_buffer, *green_channel_buffer, *blue_channel_buffer, *alpha_channel_buffer = 0;
const uint64_t line_offset = bytestream_get_le64(&buf);
int32_t data_size, line;
@@ -622,7 +626,6 @@ static int decode_frame(AVCodecContext *avctx,
if (alpha_channel_buffer)
alpha_channel_buffer += scan_line_size;
}
- }
}
// Zero out the end if ymax+1 is not h
More information about the ffmpeg-cvslog
mailing list