On Sun, May 03, 2015 at 05:11:17PM +0200, Andreas Cadhalpun wrote:
> In this case ptr could be set to a position outside the image_buf in
> png_handle_row, leading to memory corruption and thus crashes.
>
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
> libavcodec/pngdec.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
> index 26de09d..4488726 100644
> --- a/libavcodec/pngdec.c
> +++ b/libavcodec/pngdec.c
> @@ -655,6 +655,12 @@ static int decode_idat_chunk(AVCodecContext *avctx,
> PNGDecContext *s,
> s->row_size, s->crow_size);
> s->image_buf = p->data[0];
> s->image_linesize = p->linesize[0];
> + if (s->x_offset * s->bpp >= s->image_linesize) {this doesnt look correct, the linesize could be larger than the width in pixels yet still x_offset shouldnt point outside the width and x_offset is being checked where its read maybe theres some missing check on chunk order or something changes thats assumed not to ... [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgement. For even the very wise cannot see all ends. -- Gandalf
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
