Re: [FFmpeg-devel] [PATCH 2/3] mlvdec: validate bits_per_coded_sample

Sat, 19 Dec 2015 15:56:51 -0800 

On Sat, Dec 19, 2015 at 11:49:02PM +0100, Andreas Cadhalpun wrote:
> A negative bits_per_coded_sample doesn't make sense.
> If it is too large, the size calculation for av_get_packet overflows,
> resulting in allocation of a too small buffer.
> 
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
>  libavformat/mlvdec.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> index 4b3bdc1..2e57aae 100644
> --- a/libavformat/mlvdec.c
> +++ b/libavformat/mlvdec.c
> @@ -135,6 +135,15 @@ static int scan_file(AVFormatContext *avctx, AVStream 
> *vst, AVStream *ast, int f
>                  avpriv_request_sample(avctx, "raw api version");
>              avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
>              vst->codec->bits_per_coded_sample = avio_rl32(pb);
> +            if (vst->codec->bits_per_coded_sample < 0 ||
> +                (vst->codec->width && vst->codec->height &&

> +                vst->codec->bits_per_coded_sample > (INT_MAX - 7) / 
> (vst->codec->width * vst->codec->height))) {

w*h can overflow
might be easier to calculate it in unsigned 64bit and then check
the value also could be reused to ensure it wont get out of sync with
the allocation



> +                av_log(avctx, AV_LOG_ERROR,
> +                       "invalid bits_per_coded_sample %d (size: %dx%d)\n",
> +                       vst->codec->bits_per_coded_sample,
> +                       vst->codec->width, vst->codec->height);
> +                return AVERROR_INVALIDDATA;
> +            }
>              avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, 
> active_area, exposure_bias
>              if (avio_rl32(pb) != 0x2010100) /* RGGB */
>                  avpriv_request_sample(avctx, "cfa_pattern");
> -- 
> 2.6.2
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."

Attachment: signature.asc
Description: Digital signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to