[FFmpeg-devel] [PATCH 2/2] avformat/apngdec: validate frame dimensions.
Michael Niedermayer
michaelni at gmx.at
Wed Nov 26 00:02:54 CET 2014
On Tue, Nov 25, 2014 at 10:52:22AM +0100, Benoit Fouet wrote:
> ---
> libavformat/apngdec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
> index dac71f1..e9c87a1 100644
> --- a/libavformat/apngdec.c
> +++ b/libavformat/apngdec.c
> @@ -295,7 +295,9 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket
> height != s->streams[0]->codec->height ||
> x_offset != 0 ||
> y_offset != 0) {
> - if (sequence_number == 0)
> + if (sequence_number == 0 ||
> + width + x_offset > s->streams[0]->codec->width ||
> + height + y_offset > s->streams[0]->codec->height)
the addition can overflow
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20141126/a0c09f57/attachment.asc>
More information about the ffmpeg-devel
mailing list