[FFmpeg-devel] [PATCH] DPX decode: add buffer size checks.
Stefano Sabatini
stefano.sabatini-lala at poste.it
Fri Mar 25 19:08:43 CET 2011
On date Friday 2011-03-25 19:03:56 +0100, Reimar Döffinger encoded:
> ---
> libavcodec/dpx.c | 19 ++++++++++++++-----
> 1 files changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
> index ade4e8c..7fff985 100644
> --- a/libavcodec/dpx.c
> +++ b/libavcodec/dpx.c
> @@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx,
>
> unsigned int rgbBuffer;
>
> + if (avpkt->size <= 0x324) {
> + av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n");
> + return AVERROR_INVALIDDATA;
> + }
> +
> magic_num = AV_RB32(buf);
> buf += 4;
>
> @@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx,
> }
>
> offset = read32(&buf, endian);
> + if (avpkt->size <= offset) {
> + av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n");
> + return AVERROR_INVALIDDATA;
> + }
> // Need to end in 0x304 offset from start of file
> buf = avpkt->data + 0x304;
> w = read32(&buf, endian);
> @@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx,
> case 10:
> avctx->pix_fmt = PIX_FMT_RGB48;
> target_packet_size = 6;
> - source_packet_size = elements * 2;
> + source_packet_size = 4;
Is this related?
> break;
> case 12:
> case 16:
> @@ -156,6 +165,10 @@ static int decode_frame(AVCodecContext *avctx,
> ptr = p->data[0];
> stride = p->linesize[0];
>
> + if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
> + av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
> + return -1;
Nit++: while at it, you may also fix the error code (feel free to skip
the comment).
--
FFmpeg = Fundamental and Freak Minimal Plastic Easy Ghost
More information about the ffmpeg-devel
mailing list