In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavcodec/pngdec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 26de09d..4488726 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -655,6 +655,12 @@ static int decode_idat_chunk(AVCodecContext *avctx,
PNGDecContext *s,
s->row_size, s->crow_size);
s->image_buf = p->data[0];
s->image_linesize = p->linesize[0];
+ if (s->x_offset * s->bpp >= s->image_linesize) {
+ av_log(avctx, AV_LOG_ERROR,
+ "x_offset * bpp (%d) not smaller than image linesize
(%d)\n",
+ s->x_offset * s->bpp, s->image_linesize);
+ return AVERROR_INVALIDDATA;
+ }
/* copy the palette if needed */
if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
memcpy(p->data[1], s->palette, 256 * sizeof(uint32_t));
--
2.1.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
