On 20.12.2015 00:55, Michael Niedermayer wrote:
> On Sat, Dec 19, 2015 at 11:49:02PM +0100, Andreas Cadhalpun wrote:
>> A negative bits_per_coded_sample doesn't make sense.
>> If it is too large, the size calculation for av_get_packet overflows,
>> resulting in allocation of a too small buffer.
>>
>> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> ---
>> libavformat/mlvdec.c | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
>> index 4b3bdc1..2e57aae 100644
>> --- a/libavformat/mlvdec.c
>> +++ b/libavformat/mlvdec.c
>> @@ -135,6 +135,15 @@ static int scan_file(AVFormatContext *avctx, AVStream
>> *vst, AVStream *ast, int f
>> avpriv_request_sample(avctx, "raw api version");
>> avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
>> vst->codec->bits_per_coded_sample = avio_rl32(pb);
>> + if (vst->codec->bits_per_coded_sample < 0 ||
>> + (vst->codec->width && vst->codec->height &&
>
>> + vst->codec->bits_per_coded_sample > (INT_MAX - 7) /
>> (vst->codec->width * vst->codec->height))) {
>
> w*h can overflow
OK, but that should be checked via av_image_check_size.
Updated patch attached.
> might be easier to calculate it in unsigned 64bit and then check
av_image_check_size does it correctly.
> the value also could be reused to ensure it wont get out of sync with
> the allocation
If width or height could get out of sync, so could the precomputed value.
So I don't think reusing the value is very useful here.
Best regards,
Andreas
>From 66a3af0c54f0db6b96b0bad7ae7b9bbbd980b830 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sat, 19 Dec 2015 23:45:00 +0100
Subject: [PATCH 2/3] mlvdec: validate bits_per_coded_sample
A negative bits_per_coded_sample doesn't make sense.
If it is too large, the size calculation for av_get_packet overflows,
resulting in allocation of a too small buffer.
Also make sure width and height are sane.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/mlvdec.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 4b3bdc1..c003eab 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -25,6 +25,7 @@
*/
#include "libavutil/eval.h"
+#include "libavutil/imgutils.h"
#include "libavutil/intreadwrite.h"
#include "libavutil/rational.h"
#include "avformat.h"
@@ -131,10 +132,21 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f
if (vst && type == MKTAG('R','A','W','I') && size >= 164) {
vst->codec->width = avio_rl16(pb);
vst->codec->height = avio_rl16(pb);
+ ret = av_image_check_size(vst->codec->width, vst->codec->height, 0, avctx);
+ if (ret < 0)
+ return ret;
if (avio_rl32(pb) != 1)
avpriv_request_sample(avctx, "raw api version");
avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
vst->codec->bits_per_coded_sample = avio_rl32(pb);
+ if (vst->codec->bits_per_coded_sample < 0 ||
+ vst->codec->bits_per_coded_sample > (INT_MAX - 7) / (vst->codec->width * vst->codec->height)) {
+ av_log(avctx, AV_LOG_ERROR,
+ "invalid bits_per_coded_sample %d (size: %dx%d)\n",
+ vst->codec->bits_per_coded_sample,
+ vst->codec->width, vst->codec->height);
+ return AVERROR_INVALIDDATA;
+ }
avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias
if (avio_rl32(pb) != 0x2010100) /* RGGB */
avpriv_request_sample(avctx, "cfa_pattern");
--
2.6.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
