[FFmpeg-devel] [PATCH 1/3] exr: limit expected_len to tmp buffer size

Andreas Cadhalpun Wed, 16 Nov 2016 11:56:37 -0800

This fixes crashes due to pointer corruption caused by invalid writes.

The problem was introduced in commit
03152e74dfdc7f438cb4a10402c4de744e807e22.


Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/exr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c250eea..54869d2 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -841,6 +841,8 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t 
*src,
         }
     }
 
+    expected_len = FFMIN(expected_len, uncompressed_size);
+
     dest_len = expected_len;
 
     if (uncompress(td->tmp, &dest_len, src, compressed_size) != Z_OK) {
-- 
2.10.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH 1/3] exr: limit expected_len to tmp buffer size

Reply via email to