[FFmpeg-devel] [PATCH 2/3] mlvdec: validate bits_per_coded_sample
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sat Dec 19 23:49:02 CET 2015
A negative bits_per_coded_sample doesn't make sense.
If it is too large, the size calculation for av_get_packet overflows,
resulting in allocation of a too small buffer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavformat/mlvdec.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 4b3bdc1..2e57aae 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -135,6 +135,15 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f
avpriv_request_sample(avctx, "raw api version");
avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
vst->codec->bits_per_coded_sample = avio_rl32(pb);
+ if (vst->codec->bits_per_coded_sample < 0 ||
+ (vst->codec->width && vst->codec->height &&
+ vst->codec->bits_per_coded_sample > (INT_MAX - 7) / (vst->codec->width * vst->codec->height))) {
+ av_log(avctx, AV_LOG_ERROR,
+ "invalid bits_per_coded_sample %d (size: %dx%d)\n",
+ vst->codec->bits_per_coded_sample,
+ vst->codec->width, vst->codec->height);
+ return AVERROR_INVALIDDATA;
+ }
avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias
if (avio_rl32(pb) != 0x2010100) /* RGGB */
avpriv_request_sample(avctx, "cfa_pattern");
--
2.6.2
More information about the ffmpeg-devel
mailing list