[FFmpeg-devel] [PATCH 1/3] exr: limit expected_len to tmp buffer size
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Wed Nov 16 21:55:52 EET 2016
This fixes crashes due to pointer corruption caused by invalid writes.
The problem was introduced in commit
03152e74dfdc7f438cb4a10402c4de744e807e22.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavcodec/exr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c250eea..54869d2 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -841,6 +841,8 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
}
}
+ expected_len = FFMIN(expected_len, uncompressed_size);
+
dest_len = expected_len;
if (uncompress(td->tmp, &dest_len, src, compressed_size) != Z_OK) {
--
2.10.2
More information about the ffmpeg-devel
mailing list