[FFmpeg-cvslog] avformat/apngdec: validate frame dimensions.
Benoit Fouet
git at videolan.org
Wed Nov 26 23:57:17 CET 2014
ffmpeg | branch: master | Benoit Fouet <benoit.fouet at free.fr> | Wed Nov 26 10:12:18 2014 +0100| [e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d] | committer: Michael Niedermayer
avformat/apngdec: validate frame dimensions.
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d
---
libavformat/apngdec.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index 8aa70a0..276d765 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -301,7 +301,11 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket
height != s->streams[0]->codec->height ||
x_offset != 0 ||
y_offset != 0) {
- if (sequence_number == 0)
+ if (sequence_number == 0 ||
+ x_offset >= s->streams[0]->codec->width ||
+ width > s->streams[0]->codec->width - x_offset ||
+ y_offset >= s->streams[0]->codec->height ||
+ height > s->streams[0]->codec->height - y_offset)
return AVERROR_INVALIDDATA;
ctx->is_key_frame = 0;
} else {
More information about the ffmpeg-cvslog
mailing list