[FFmpeg-devel] [PATCH] pngdec: abort if x_offset * bpp >= image_linesize

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sun May 3 17:11:17 CEST 2015


In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/pngdec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 26de09d..4488726 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -655,6 +655,12 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
                 s->row_size, s->crow_size);
         s->image_buf      = p->data[0];
         s->image_linesize = p->linesize[0];
+        if (s->x_offset * s->bpp >= s->image_linesize) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "x_offset * bpp (%d) not smaller than image linesize (%d)\n",
+                    s->x_offset * s->bpp, s->image_linesize);
+            return AVERROR_INVALIDDATA;
+        }
         /* copy the palette if needed */
         if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
             memcpy(p->data[1], s->palette, 256 * sizeof(uint32_t));
-- 
2.1.4


More information about the ffmpeg-devel mailing list