[FFmpeg-devel] [PATCH] jpegls: allocate large enough zero buffer
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Thu Dec 31 17:02:14 CET 2015
On 30.12.2015 21:12, Andreas Cadhalpun wrote:
> It is read up to length s->width * stride, which can be larger than the
> linesize. (stride = (s->nb_components > 1) ? 3 : 1)
>
> This fixes an out of bounds read.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/jpeglsdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
> index 68151cb..11ffe93 100644
> --- a/libavcodec/jpeglsdec.c
> +++ b/libavcodec/jpeglsdec.c
> @@ -348,7 +348,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
> JLSState *state;
> int off = 0, stride = 1, width, shift, ret = 0;
>
> - zero = av_mallocz(s->picture_ptr->linesize[0]);
> + zero = av_mallocz(FFMAX(s->picture_ptr->linesize[0], s->width * ((s->nb_components > 1) ? 3 : 1)));
> if (!zero)
> return AVERROR(ENOMEM);
> last = zero;
>
A better fix is to error out before this happens.
Patch doing that attached.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mjpegdec-extend-check-for-incompatible-values-of-s-r.patch
Type: text/x-diff
Size: 1338 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151231/d6ee3d9d/attachment.patch>
More information about the ffmpeg-devel
mailing list