[FFmpeg-devel] [PATCH 04/16] txd: check for out of bound reads.

Reimar Döffinger Reimar.Doeffinger at gmx.de
Sun Oct 9 00:21:36 CEST 2011


On Sat, Oct 08, 2011 at 11:40:29PM +0200, fenrir at elivagar.org wrote:
> +        if (buf_end - cur < 1024)
> +            return AVERROR_INVALIDDATA;
>          avctx->pix_fmt = PIX_FMT_PAL8;
>          cur += 1024;

The if after the pix_fmt would be more readable.

> @@ -133,8 +146,12 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
>          }
>      }
>  
> -    for (; mipmap_count > 1; mipmap_count--)
> -        cur += AV_RL32(cur) + 4;
> +    for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) {
> +        uint32_t length = AV_RL32(cur);
> +        if (buf_end - cur - 4 < length )
> +            break;
> +        cur += length + 4;

The space before ) should not be there.
Also seems simpler as
uint32_t length = bytestream_get_le32(&cur);
if (length > buf_end - cur)
  break;
cur += length;


More information about the ffmpeg-devel mailing list