[FFmpeg-devel] [PATCH] pngdec: abort if x_offset * bpp >= image_linesize

Michael Niedermayer michaelni at gmx.at
Sun May 3 22:04:03 CEST 2015


On Sun, May 03, 2015 at 08:41:35PM +0200, Andreas Cadhalpun wrote:
> On 03.05.2015 20:09, Michael Niedermayer wrote:
> > On Sun, May 03, 2015 at 05:11:17PM +0200, Andreas Cadhalpun wrote:
> >> In this case ptr could be set to a position outside the image_buf in
> >> png_handle_row, leading to memory corruption and thus crashes.
> >>
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >>  libavcodec/pngdec.c | 6 ++++++
> >>  1 file changed, 6 insertions(+)
> >>
> >> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
> >> index 26de09d..4488726 100644
> >> --- a/libavcodec/pngdec.c
> >> +++ b/libavcodec/pngdec.c
> >> @@ -655,6 +655,12 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
> >>                  s->row_size, s->crow_size);
> >>          s->image_buf      = p->data[0];
> >>          s->image_linesize = p->linesize[0];
> >> +        if (s->x_offset * s->bpp >= s->image_linesize) {
> > 
> > this doesnt look correct, the linesize could be larger than the
> > width in pixels yet still x_offset shouldnt point outside the width
> > and x_offset is being checked where its read
> 
> The problem is that the original check assumes linesize >= width.
> However this is not the case for AV_PIX_FMT_MONOBLACK, which has the
> AV_PIX_FMT_FLAG_BITSTREAM flag. Thus the linesize is divided by 8 in
> image_get_linesize:
>     if (desc->flags & AV_PIX_FMT_FLAG_BITSTREAM)
>         linesize = (linesize + 7) >> 3;
> 
> > maybe theres some missing check on chunk order or something changes
> > thats assumed not to ...
> 
> Alternatively one could just not accept AV_PIX_FMT_MONOBLACK in
> combination with AV_CODEC_ID_APNG. Patch for that attached.

yes, i think this is better, i suspect the code does not handle
x_offset correctly for APNG AV_PIX_FMT_MONOBLACK, the value is IIUC
a value in pixels not bytes

patch applied

thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150503/69f40f58/attachment.asc>


More information about the ffmpeg-devel mailing list