[FFmpeg-devel] [PATCH 4/7] Check for invalid/corrupted bitstream in sun raster decoder.
Michael Niedermayer
michaelni at gmx.at
Wed Sep 28 00:28:51 CEST 2011
On Tue, Sep 27, 2011 at 11:43:54PM +0200, fenrir at elivagar.org wrote:
> From: Laurent Aimar <fenrir at videolan.org>
>
> ---
> libavcodec/sunrast.c | 20 +++++++++++++-------
> 1 files changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c
> index 57b0734..494af5d 100644
> --- a/libavcodec/sunrast.c
> +++ b/libavcodec/sunrast.c
> @@ -68,21 +68,29 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
> type = AV_RB32(buf+20);
> maptype = AV_RB32(buf+24);
> maplength = AV_RB32(buf+28);
> + buf += 32;
>
> - if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
> - av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
> + if (type < RT_OLD || type > RT_FORMAT_IFF) {
> + av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
> return -1;
> }
> - if (type > RT_FORMAT_IFF) {
> - av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
> + if (av_image_check_size(w, h, 0, avctx)) {
> + av_log(avctx, AV_LOG_ERROR, "invalid image size\n");
> return -1;
> }
> if (maptype & ~1) {
> av_log(avctx, AV_LOG_ERROR, "invalid colormap type\n");
> return -1;
> }
> + if (maplength < 0) {
> + av_log(avctx, AV_LOG_ERROR, "invalid map length\n");
> + return -1;
> + }
This seems impossible, maplength is unsigned
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110928/cb941dc0/attachment.asc>
More information about the ffmpeg-devel
mailing list