[FFmpeg-devel] [PATCH 2/3] mlvdec: validate bits_per_coded_sample
Peter Ross
pross at xvid.org
Sun Dec 20 08:26:18 CET 2015
On Sat, Dec 19, 2015 at 11:49:02PM +0100, Andreas Cadhalpun wrote:
> A negative bits_per_coded_sample doesn't make sense.
> If it is too large, the size calculation for av_get_packet overflows,
> resulting in allocation of a too small buffer.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavformat/mlvdec.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> index 4b3bdc1..2e57aae 100644
> --- a/libavformat/mlvdec.c
> +++ b/libavformat/mlvdec.c
> @@ -135,6 +135,15 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f
> avpriv_request_sample(avctx, "raw api version");
> avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
> vst->codec->bits_per_coded_sample = avio_rl32(pb);
> + if (vst->codec->bits_per_coded_sample < 0 ||
> + (vst->codec->width && vst->codec->height &&
> + vst->codec->bits_per_coded_sample > (INT_MAX - 7) / (vst->codec->width * vst->codec->height))) {
> + av_log(avctx, AV_LOG_ERROR,
> + "invalid bits_per_coded_sample %d (size: %dx%d)\n",
> + vst->codec->bits_per_coded_sample,
> + vst->codec->width, vst->codec->height);
> + return AVERROR_INVALIDDATA;
> + }
> avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias
> if (avio_rl32(pb) != 0x2010100) /* RGGB */
> avpriv_request_sample(avctx, "cfa_pattern");
> --
> 2.6.2
Looks good.
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151220/464f869c/attachment.sig>
More information about the ffmpeg-devel
mailing list