[FFmpeg-devel] [PATCH] pngdec: abort if x_offset * bpp >= image_linesize
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sun May 3 17:11:17 CEST 2015
In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavcodec/pngdec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 26de09d..4488726 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -655,6 +655,12 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->row_size, s->crow_size);
s->image_buf = p->data[0];
s->image_linesize = p->linesize[0];
+ if (s->x_offset * s->bpp >= s->image_linesize) {
+ av_log(avctx, AV_LOG_ERROR,
+ "x_offset * bpp (%d) not smaller than image linesize (%d)\n",
+ s->x_offset * s->bpp, s->image_linesize);
+ return AVERROR_INVALIDDATA;
+ }
/* copy the palette if needed */
if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
memcpy(p->data[1], s->palette, 256 * sizeof(uint32_t));
--
2.1.4
More information about the ffmpeg-devel
mailing list