[FFmpeg-cvslog] DPX decode: add buffer size checks.

Reimar Döffinger git at videolan.org
Sat Mar 26 13:46:44 CET 2011


ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Fri Mar 25 18:58:07 2011 +0100| [836131546947db75f2ff81a452e5ee9392c4acf8] | committer: Reimar Döffinger

DPX decode: add buffer size checks.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=836131546947db75f2ff81a452e5ee9392c4acf8
---

 libavcodec/dpx.c |   19 ++++++++++++++-----
 1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index ade4e8c..7fff985 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx,
 
     unsigned int rgbBuffer;
 
+    if (avpkt->size <= 0x324) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     magic_num = AV_RB32(buf);
     buf += 4;
 
@@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     offset = read32(&buf, endian);
+    if (avpkt->size <= offset) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n");
+        return AVERROR_INVALIDDATA;
+    }
     // Need to end in 0x304 offset from start of file
     buf = avpkt->data + 0x304;
     w = read32(&buf, endian);
@@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx,
         case 10:
             avctx->pix_fmt = PIX_FMT_RGB48;
             target_packet_size = 6;
-            source_packet_size = elements * 2;
+            source_packet_size = 4;
             break;
         case 12:
         case 16:
@@ -156,6 +165,10 @@ static int decode_frame(AVCodecContext *avctx,
     ptr    = p->data[0];
     stride = p->linesize[0];
 
+    if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+        av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+        return -1;
+    }
     switch (bits_per_color) {
         case 10:
             for (x = 0; x < avctx->height; x++) {
@@ -173,10 +186,6 @@ static int decode_frame(AVCodecContext *avctx,
         case 8:
         case 12: // Treat 12-bit as 16-bit
         case 16:
-            if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
-                av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
-                return -1;
-            }
             if (source_packet_size == target_packet_size) {
                 for (x = 0; x < avctx->height; x++) {
                     memcpy(ptr, buf, target_packet_size*avctx->width);




More information about the ffmpeg-cvslog mailing list