[FFmpeg-devel] [PATCH] pngdec: abort if x_offset * bpp >= image_linesize
Michael Niedermayer
michaelni at gmx.at
Sun May 3 20:09:21 CEST 2015
On Sun, May 03, 2015 at 05:11:17PM +0200, Andreas Cadhalpun wrote:
> In this case ptr could be set to a position outside the image_buf in
> png_handle_row, leading to memory corruption and thus crashes.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/pngdec.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
> index 26de09d..4488726 100644
> --- a/libavcodec/pngdec.c
> +++ b/libavcodec/pngdec.c
> @@ -655,6 +655,12 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
> s->row_size, s->crow_size);
> s->image_buf = p->data[0];
> s->image_linesize = p->linesize[0];
> + if (s->x_offset * s->bpp >= s->image_linesize) {
this doesnt look correct, the linesize could be larger than the
width in pixels yet still x_offset shouldnt point outside the width
and x_offset is being checked where its read
maybe theres some missing check on chunk order or something changes
thats assumed not to ...
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many that live deserve death. And some that die deserve life. Can you give
it to them? Then do not be too eager to deal out death in judgement. For
even the very wise cannot see all ends. -- Gandalf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150503/d33f17ad/attachment.asc>
More information about the ffmpeg-devel
mailing list