Re: [FFmpeg-devel] [libav-devel] [PATCH 3/4] dds: make sure pallete frame buffer exists before use

Wed, 11 Nov 2015 11:30:32 -0800 

On 11.11.2015 12:28, Vittorio Giovara wrote:
> On Wed, Nov 11, 2015 at 1:16 AM, Andreas Cadhalpun
> <andreas.cadhal...@googlemail.com> wrote:
>> Otherwise it causes a NULL pointer dereference of frame->data[1].
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>>  libavcodec/dds.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/libavcodec/dds.c b/libavcodec/dds.c
>> index c918cf0..fe36709 100644
>> --- a/libavcodec/dds.c
>> +++ b/libavcodec/dds.c
>> @@ -662,6 +662,11 @@ static int dds_decode(AVCodecContext *avctx, void *data,
>>
>>          if (ctx->paletted) {
>>              int i;
>> +            if (!frame->data[1]) {
>> +                av_log(avctx, AV_LOG_ERROR,
>> +                       "Palette frame buffer is not allocated.\n");
>> +                return AVERROR_INVALIDDATA;
>> +            }
>>              /* Use the first 1024 bytes as palette, then copy the rest. */
>>              bytestream2_get_buffer(gbc, frame->data[1], 256 * 4);
>>              for (i = 0; i < 256; i++)
> 
> how can this happen?

That's best described with code:
if (!ctx->compressed && ctx->paletted &&
    !(av_pix_fmt_desc_get(avctx->pix_fmt)->flags & (AV_PIX_FMT_FLAG_PAL | 
AV_PIX_FMT_FLAG_PSEUDOPAL)))

Attached is a patch using this expression to check for the problem.

Best regards,
Andreas

>From 299189530856da6c3b57e3fcfac034f15244b36b Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Wed, 11 Nov 2015 19:43:28 +0100
Subject: [PATCH] dds: validate palette pixel format

If it doesn't have one of the necessary flags, it can cause a NULL
pointer dereference of frame->data[1] in dds_decode.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/dds.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/dds.c b/libavcodec/dds.c
index f04a4f5..6c4c88a 100644
--- a/libavcodec/dds.c
+++ b/libavcodec/dds.c
@@ -373,6 +373,13 @@ static int parse_pixel_format(AVCodecContext *avctx)
         }
     }
 
+    if (!ctx->compressed && ctx->paletted &&
+        !(av_pix_fmt_desc_get(avctx->pix_fmt)->flags & (AV_PIX_FMT_FLAG_PAL | AV_PIX_FMT_FLAG_PSEUDOPAL))) {
+        av_log(avctx, AV_LOG_ERROR, "Unsupported palette pixel format: %s\n",
+               av_get_pix_fmt_name(avctx->pix_fmt));
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Set any remaining post-proc that should happen before frame is ready. */
     if (alpha_exponent)
         ctx->postproc = DDS_ALPHA_EXP;
-- 
2.6.2


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to