[FFmpeg-cvslog] mss12: validate display dimensions

Anton Khirnov git at videolan.org
Sun Mar 19 19:20:43 EET 2017


ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Sun Aug 14 10:18:39 2016 +0200| [6755eb5b212384e0599f7f2c5de42df49fff57de] | committer: Anton Khirnov

mss12: validate display dimensions

The code currently reads the coded dimensions from the extradata, but
expects the display dimensions to be set by the caller, and does not
check that they are compatible (i.e. that the displayed size is smaller
than the coded size).

Make sure that when the display dimensions are set, they are also valid.
Fixes possible invalid memory access.

CC: libav-stable at libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6755eb5b212384e0599f7f2c5de42df49fff57de
---

 libavcodec/mss12.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c
index d4b621f..b9bda16 100644
--- a/libavcodec/mss12.c
+++ b/libavcodec/mss12.c
@@ -588,6 +588,16 @@ av_cold int ff_mss12_decode_init(MSS12Context *c, int version,
                avctx->coded_width, avctx->coded_height);
         return AVERROR_INVALIDDATA;
     }
+    if (avctx->width || avctx->height) {
+        if (avctx->width  <= 0 || avctx->width > avctx->coded_width ||
+            avctx->height <= 0 || avctx->height > avctx->coded_height) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid display dimensions\n");
+            return AVERROR_INVALIDDATA;
+        }
+    } else {
+        avctx->width  = avctx->coded_width;
+        avctx->height = avctx->coded_height;
+    }
 
     av_log(avctx, AV_LOG_DEBUG, "Encoder version %"PRIu32".%"PRIu32"\n",
            AV_RB32(avctx->extradata + 4), AV_RB32(avctx->extradata + 8));



More information about the ffmpeg-cvslog mailing list