[FFmpeg-devel] [libav-devel] [PATCH 2/4] dds: validate compressed source buffer size
Vittorio Giovara
vittorio.giovara at gmail.com
Wed Nov 11 12:31:04 CET 2015
On Wed, Nov 11, 2015 at 1:15 AM, Andreas Cadhalpun
<andreas.cadhalpun at googlemail.com> wrote:
> A too small buffer will cause segfaults somewhere below
> decompress_texture_thread.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavcodec/dds.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/libavcodec/dds.c b/libavcodec/dds.c
> index 324e665..c918cf0 100644
> --- a/libavcodec/dds.c
> +++ b/libavcodec/dds.c
> @@ -642,9 +642,18 @@ static int dds_decode(AVCodecContext *avctx, void *data,
> return ret;
>
> if (ctx->compressed) {
> + int size = (avctx->coded_height / TEXTURE_BLOCK_H) *
> + (avctx->coded_width / TEXTURE_BLOCK_W) * ctx->tex_ratio;
> ctx->slice_count = av_clip(avctx->thread_count, 1,
> avctx->coded_height / TEXTURE_BLOCK_H);
>
> + if (bytestream2_get_bytes_left(gbc) < size) {
> + av_log(avctx, AV_LOG_ERROR,
> + "Compressed Buffer is too small (%d < %d).\n",
> + bytestream2_get_bytes_left(gbc), size);
> + return AVERROR_INVALIDDATA;
> + }
> +
> /* Use the decompress function on the texture, one block per thread. */
> ctx->tex_data = gbc->buffer;
> avctx->execute2(avctx, decompress_texture_thread, frame, NULL, ctx->slice_count);
> --
Not sure if we should check this before the ff_get_buffer to avoid an
allocation in case of error, but I think the patch is correct.
--
Vittorio
More information about the ffmpeg-devel
mailing list