[FFmpeg-cvslog] DPX decode: add buffer size checks.
Reimar Döffinger
git at videolan.org
Sat Mar 26 13:46:44 CET 2011
ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Fri Mar 25 18:58:07 2011 +0100| [836131546947db75f2ff81a452e5ee9392c4acf8] | committer: Reimar Döffinger
DPX decode: add buffer size checks.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=836131546947db75f2ff81a452e5ee9392c4acf8
---
libavcodec/dpx.c | 19 ++++++++++++++-----
1 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index ade4e8c..7fff985 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx,
unsigned int rgbBuffer;
+ if (avpkt->size <= 0x324) {
+ av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n");
+ return AVERROR_INVALIDDATA;
+ }
+
magic_num = AV_RB32(buf);
buf += 4;
@@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx,
}
offset = read32(&buf, endian);
+ if (avpkt->size <= offset) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n");
+ return AVERROR_INVALIDDATA;
+ }
// Need to end in 0x304 offset from start of file
buf = avpkt->data + 0x304;
w = read32(&buf, endian);
@@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx,
case 10:
avctx->pix_fmt = PIX_FMT_RGB48;
target_packet_size = 6;
- source_packet_size = elements * 2;
+ source_packet_size = 4;
break;
case 12:
case 16:
@@ -156,6 +165,10 @@ static int decode_frame(AVCodecContext *avctx,
ptr = p->data[0];
stride = p->linesize[0];
+ if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+ av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+ return -1;
+ }
switch (bits_per_color) {
case 10:
for (x = 0; x < avctx->height; x++) {
@@ -173,10 +186,6 @@ static int decode_frame(AVCodecContext *avctx,
case 8:
case 12: // Treat 12-bit as 16-bit
case 16:
- if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
- av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
- return -1;
- }
if (source_packet_size == target_packet_size) {
for (x = 0; x < avctx->height; x++) {
memcpy(ptr, buf, target_packet_size*avctx->width);
More information about the ffmpeg-cvslog
mailing list