[FFmpeg-devel] [libav-devel] [PATCH 2/4] dds: validate compressed source buffer size

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Wed Nov 11 21:59:06 CET 2015


On 11.11.2015 12:31, Vittorio Giovara wrote:
> On Wed, Nov 11, 2015 at 1:15 AM, Andreas Cadhalpun
> <andreas.cadhalpun at googlemail.com> wrote:
>> A too small buffer will cause segfaults somewhere below
>> decompress_texture_thread.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>>  libavcodec/dds.c | 9 +++++++++
>>  1 file changed, 9 insertions(+)
>>
>> diff --git a/libavcodec/dds.c b/libavcodec/dds.c
>> index 324e665..c918cf0 100644
>> --- a/libavcodec/dds.c
>> +++ b/libavcodec/dds.c
>> @@ -642,9 +642,18 @@ static int dds_decode(AVCodecContext *avctx, void *data,
>>          return ret;
>>
>>      if (ctx->compressed) {
>> +        int size = (avctx->coded_height / TEXTURE_BLOCK_H) *
>> +                   (avctx->coded_width / TEXTURE_BLOCK_W) * ctx->tex_ratio;
>>          ctx->slice_count = av_clip(avctx->thread_count, 1,
>>                                     avctx->coded_height / TEXTURE_BLOCK_H);
>>
>> +        if (bytestream2_get_bytes_left(gbc) < size) {
>> +            av_log(avctx, AV_LOG_ERROR,
>> +                   "Compressed Buffer is too small (%d < %d).\n",
>> +                   bytestream2_get_bytes_left(gbc), size);
>> +            return AVERROR_INVALIDDATA;
>> +        }
>> +
>>          /* Use the decompress function on the texture, one block per thread. */
>>          ctx->tex_data = gbc->buffer;
>>          avctx->execute2(avctx, decompress_texture_thread, frame, NULL, ctx->slice_count);
>> --
> 
> Not sure if we should check this before the ff_get_buffer to avoid an
> allocation in case of error, but I think the patch is correct.

Pushed.

Best regards,
Andreas



More information about the ffmpeg-devel mailing list