[FFmpeg-cvslog] avcodec/pngdec: Check values before updating context in decode_fctl_chunk( )

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer <michaelni at gmx.at> | Mon Jun 29 22:32:02 2015 +0200| [917544b2eace14097b2e4437dc0df972e8016e97] | committer: Michael Niedermayer

avcodec/pngdec: Check values before updating context in decode_fctl_chunk()

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit b54ac8403bfea4e7fab0799ccfe728ba76959a38)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=917544b2eace14097b2e4437dc0df972e8016e97
---

 libavcodec/pngdec.c |   34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 4a541d4..dd71f27 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -810,6 +810,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
                              uint32_t length)
 {
     uint32_t sequence_number;
+    int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op;
 
     if (length != 26)
         return AVERROR_INVALIDDATA;
@@ -820,23 +821,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
     }
 
     sequence_number = bytestream2_get_be32(&s->gb);
-    s->cur_w        = bytestream2_get_be32(&s->gb);
-    s->cur_h        = bytestream2_get_be32(&s->gb);
-    s->x_offset     = bytestream2_get_be32(&s->gb);
-    s->y_offset     = bytestream2_get_be32(&s->gb);
+    cur_w           = bytestream2_get_be32(&s->gb);
+    cur_h           = bytestream2_get_be32(&s->gb);
+    x_offset        = bytestream2_get_be32(&s->gb);
+    y_offset        = bytestream2_get_be32(&s->gb);
     bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */
-    s->dispose_op   = bytestream2_get_byte(&s->gb);
-    s->blend_op     = bytestream2_get_byte(&s->gb);
+    dispose_op      = bytestream2_get_byte(&s->gb);
+    blend_op        = bytestream2_get_byte(&s->gb);
     bytestream2_skip(&s->gb, 4); /* crc */
 
     if (sequence_number == 0 &&
-        (s->cur_w != s->width ||
-         s->cur_h != s->height ||
-         s->x_offset != 0 ||
-         s->y_offset != 0) ||
-        s->cur_w <= 0 || s->cur_h <= 0 ||
-        s->x_offset < 0 || s->y_offset < 0 ||
-        s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset)
+        (cur_w != s->width ||
+         cur_h != s->height ||
+         x_offset != 0 ||
+         y_offset != 0) ||
+        cur_w <= 0 || cur_h <= 0 ||
+        x_offset < 0 || y_offset < 0 ||
+        cur_w > s->width - x_offset|| cur_h > s->height - y_offset)
             return AVERROR_INVALIDDATA;
 
     /* always (re)start with a clean frame */
@@ -850,6 +851,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
             s->dispose_op = APNG_DISPOSE_OP_NONE;
     }
 
+    s->cur_w      = cur_w;
+    s->cur_h      = cur_h;
+    s->x_offset   = x_offset;
+    s->y_offset   = y_offset;
+    s->dispose_op = dispose_op;
+    s->blend_op   = blend_op;
+
     return 0;
 }