[FFmpeg-devel] [PATCH] buffer read sanity check (issue 2503)
Michael Niedermayer
michaelni
Fri Jan 7 15:46:43 CET 2011
On Thu, Jan 06, 2011 at 11:51:58PM -0500, Daniel Kang wrote:
> ffmpeg does not check for buffer overreading in the dpx decoder. For
> invalid headers, the target_packet_size or width could be too large. The
> patch attached adds a sanity check.
> dpx.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
> e3c6cd5042d736935c2c5a730c93ee96f108b988 dpx_buffer_sanity_check.diff
> From ae6ec1ce796735a666afb6b911c8c9e594b1eb8a Mon Sep 17 00:00:00 2001
> From: Daniel Kang <daniel.d.kang at gmail.com>
> Date: Thu, 6 Jan 2011 23:34:05 -0500
> Subject: [PATCH] dpx buffer overread sanity check
>
> ---
> libavcodec/dpx.c | 9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
> index f92b3d0..588ec6c 100644
> --- a/libavcodec/dpx.c
> +++ b/libavcodec/dpx.c
> @@ -55,6 +55,7 @@ static int decode_frame(AVCodecContext *avctx,
> AVPacket *avpkt)
> {
> const uint8_t *buf = avpkt->data;
> + const uint8_t *buf_end = avpkt->data + avpkt->size;
> int buf_size = avpkt->size;
> DPXContext *const s = avctx->priv_data;
> AVFrame *picture = data;
> @@ -174,6 +175,10 @@ static int decode_frame(AVCodecContext *avctx,
> case 16:
> if (source_packet_size == target_packet_size) {
> for (x = 0; x < avctx->height; x++) {
> + if (buf + target_packet_size*avctx->width > buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
> + return -1;
> + }
> memcpy(ptr, buf, target_packet_size*avctx->width);
> ptr += stride;
> buf += source_packet_size*avctx->width;
> @@ -182,6 +187,10 @@ static int decode_frame(AVCodecContext *avctx,
> for (x = 0; x < avctx->height; x++) {
> uint8_t *dst = ptr;
> for (y = 0; y < avctx->width; y++) {
> + if (buf + target_packet_size > buf_end) {
> + av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
> + return -1;
> + }
something like
if(source_packet_size * avctx->width > buf_end - buf)
at a single spot should be able to catch all i think
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Democracy is the form of government in which you can choose your dictator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110107/e8ae4415/attachment.pgp>
More information about the ffmpeg-devel
mailing list