[FFmpeg-devel] [PATCH] avcodec/rscc: check deflated input pixel buffer size

Michael Niedermayer michael at niedermayer.cc
Wed May 11 02:30:25 CEST 2016


On Tue, May 10, 2016 at 04:30:03PM -0300, James Almer wrote:
> Prevents overreads as reported by valgrind
> 
> Signed-off-by: James Almer <jamrial at gmail.com>
> ---
> See http://fate.ffmpeg.org/report.cgi?time=20160509191458&slot=x86_64-archlinux-gcc-valgrindundef
> 
>  libavcodec/rscc.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c
> index a47d29f..b1f6f87 100644
> --- a/libavcodec/rscc.c
> +++ b/libavcodec/rscc.c
> @@ -258,6 +258,11 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
>          pixels = gbc->buffer;
>      } else {
>          uLongf len = ctx->inflated_size;
> +        if (bytestream2_get_bytes_left(gbc) < packed_size) {
> +            av_log(avctx, AV_LOG_ERROR, "Insufficient input for %d\n", packed_size);
> +            ret = AVERROR_INVALIDDATA;
> +            goto end;
> +        }

you might want to check for packed_size < 0
isnt strictly needed i guess but seems more proper

LGTM otherwise

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you drop bombs on a foreign country and kill a hundred thousand
innocent people, expect your government to call the consequence
"unprovoked inhuman terrorist attacks" and use it to justify dropping
more bombs and killing more people. The technology changed, the idea is old.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160511/ac62ec71/attachment.sig>


More information about the ffmpeg-devel mailing list