Re: [FFmpeg-devel] [PATCH] jpegls: allocate large enough zero buffer

Thu, 31 Dec 2015 08:02:44 -0800 

On 30.12.2015 21:12, Andreas Cadhalpun wrote:
> It is read up to length s->width * stride, which can be larger than the
> linesize. (stride = (s->nb_components > 1) ? 3 : 1)
> 
> This fixes an out of bounds read.
> 
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
>  libavcodec/jpeglsdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
> index 68151cb..11ffe93 100644
> --- a/libavcodec/jpeglsdec.c
> +++ b/libavcodec/jpeglsdec.c
> @@ -348,7 +348,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int 
> near,
>      JLSState *state;
>      int off = 0, stride = 1, width, shift, ret = 0;
>  
> -    zero = av_mallocz(s->picture_ptr->linesize[0]);
> +    zero = av_mallocz(FFMAX(s->picture_ptr->linesize[0], s->width * 
> ((s->nb_components > 1) ? 3 : 1)));
>      if (!zero)
>          return AVERROR(ENOMEM);
>      last = zero;
> 

A better fix is to error out before this happens.
Patch doing that attached.

Best regards,
Andreas

>From 637a849f80bff4acaa42afe8cb4d2dd60fc4248a Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Thu, 31 Dec 2015 16:55:43 +0100
Subject: [PATCH] mjpegdec: extend check for incompatible values of s->rgb and
 s->ls

This can happen if s->ls changes from 0 to 1, but picture allocation is
skipped due to s->interlaced.

In that case ff_jpegls_decode_picture could be called even though the
s->picture_ptr frame has the wrong pixel format and thus a wrong
linesize, which results in a too small zero buffer being allocated.

This fixes an out-of-bounds read in ls_decode_line.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/mjpegdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index c812b86..c730e05 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -632,7 +632,8 @@ unk_pixfmt:
         av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len);
     }
 
-    if (s->rgb && !s->lossless && !s->ls) {
+    if ((s->rgb && !s->lossless && !s->ls) ||
+        (!s->rgb && s->ls && s->nb_components > 1)) {
         av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n");
         return AVERROR_PATCHWELCOME;
     }
-- 
2.6.4


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to