[FFmpeg-devel] [PATCH 2/3] exr: fix out-of-bounds read

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Wed Nov 16 21:56:50 EET 2016


channel_index can be -1.

This problem was introduced in commit
2dd7b46132e2801ef34fe1b5c27e0113cdcfa2f9.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/exr.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 54869d2..bff08f2 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1430,8 +1430,7 @@ static int decode_header(EXRContext *s)
                     return AVERROR_PATCHWELCOME;
                 }
 
-                if (s->channel_offsets[channel_index] == -1){/* channel have not been previously assign */
-                    if (channel_index >= 0) {
+                if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */
                         if (s->pixel_type != EXR_UNKNOWN &&
                             s->pixel_type != current_pixel_type) {
                             av_log(s->avctx, AV_LOG_ERROR,
@@ -1440,7 +1439,6 @@ static int decode_header(EXRContext *s)
                         }
                         s->pixel_type                     = current_pixel_type;
                         s->channel_offsets[channel_index] = s->current_channel_offset;
-                    }
                 }
 
                 s->channels = av_realloc(s->channels,
-- 
2.10.2



More information about the ffmpeg-devel mailing list