[FFmpeg-devel] [libav-devel] [PATCH 2/4] dds: validate compressed source buffer size
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Wed Nov 11 20:34:29 CET 2015
On 11.11.2015 12:31, Vittorio Giovara wrote:
> On Wed, Nov 11, 2015 at 1:15 AM, Andreas Cadhalpun
> <andreas.cadhalpun at googlemail.com> wrote:
>> A too small buffer will cause segfaults somewhere below
>> decompress_texture_thread.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>> libavcodec/dds.c | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/libavcodec/dds.c b/libavcodec/dds.c
>> index 324e665..c918cf0 100644
>> --- a/libavcodec/dds.c
>> +++ b/libavcodec/dds.c
>> @@ -642,9 +642,18 @@ static int dds_decode(AVCodecContext *avctx, void *data,
>> return ret;
>>
>> if (ctx->compressed) {
>> + int size = (avctx->coded_height / TEXTURE_BLOCK_H) *
>> + (avctx->coded_width / TEXTURE_BLOCK_W) * ctx->tex_ratio;
>> ctx->slice_count = av_clip(avctx->thread_count, 1,
>> avctx->coded_height / TEXTURE_BLOCK_H);
>>
>> + if (bytestream2_get_bytes_left(gbc) < size) {
>> + av_log(avctx, AV_LOG_ERROR,
>> + "Compressed Buffer is too small (%d < %d).\n",
>> + bytestream2_get_bytes_left(gbc), size);
>> + return AVERROR_INVALIDDATA;
>> + }
>> +
>> /* Use the decompress function on the texture, one block per thread. */
>> ctx->tex_data = gbc->buffer;
>> avctx->execute2(avctx, decompress_texture_thread, frame, NULL, ctx->slice_count);
>> --
>
> Not sure if we should check this before the ff_get_buffer to avoid an
> allocation in case of error, but I think the patch is correct.
While that would be possible for this case, it'd more difficult for the uncompressed case,
where the check uses frame->height and frame->width, which are calculated in ff_get_buffer.
So I think it's simpler to do it this way.
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list