[FFmpeg-devel] [PATCH 1/4] dpx: perform width/height upgrade and av_image_check_size earlier to prevent segfault on malformed input

[Peter Ross]

Signed-off-by: Peter Ross <pross at xvid.org>
---
 libavcodec/dpx.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index bfc88b6..ba507d5 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -105,6 +105,11 @@ static int decode_frame(AVCodecContext *avctx,
     w = read32(&buf, endian);
     h = read32(&buf, endian);
 
+    if (w != avctx->width || h != avctx->height)
+        avcodec_set_dimensions(avctx, w, h);
+    if (av_image_check_size(avctx->width, avctx->height, 0, avctx))
+        return AVERROR(EINVAL);
+
     // Need to end in 0x320 to read the descriptor
     buf += 20;
     descriptor = buf[0];
@@ -182,10 +187,6 @@ static int decode_frame(AVCodecContext *avctx,
 
     if (s->picture.data[0])
         avctx->release_buffer(avctx, &s->picture);
-    if (av_image_check_size(w, h, 0, avctx))
-        return -1;
-    if (w != avctx->width || h != avctx->height)
-        avcodec_set_dimensions(avctx, w, h);
     if (avctx->get_buffer(avctx, p) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return -1;
-- 
1.8.0

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121125/6d86e771/attachment.asc>