[FFmpeg-devel] [PATCH] jpegls: allocate large enough zero buffer

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Thu Dec 31 17:02:14 CET 2015


On 30.12.2015 21:12, Andreas Cadhalpun wrote:
> It is read up to length s->width * stride, which can be larger than the
> linesize. (stride = (s->nb_components > 1) ? 3 : 1)
> 
> This fixes an out of bounds read.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavcodec/jpeglsdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
> index 68151cb..11ffe93 100644
> --- a/libavcodec/jpeglsdec.c
> +++ b/libavcodec/jpeglsdec.c
> @@ -348,7 +348,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
>      JLSState *state;
>      int off = 0, stride = 1, width, shift, ret = 0;
>  
> -    zero = av_mallocz(s->picture_ptr->linesize[0]);
> +    zero = av_mallocz(FFMAX(s->picture_ptr->linesize[0], s->width * ((s->nb_components > 1) ? 3 : 1)));
>      if (!zero)
>          return AVERROR(ENOMEM);
>      last = zero;
> 

A better fix is to error out before this happens.
Patch doing that attached.

Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mjpegdec-extend-check-for-incompatible-values-of-s-r.patch
Type: text/x-diff
Size: 1338 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151231/d6ee3d9d/attachment.patch>


More information about the ffmpeg-devel mailing list