[FFmpeg-devel] [PATCH] DPX decode: add buffer size checks.
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Fri Mar 25 20:01:43 CET 2011
On 25 Mar 2011, at 19:08, Stefano Sabatini <stefano.sabatini-lala at poste.it> wrote:
> On date Friday 2011-03-25 19:03:56 +0100, Reimar Döffinger encoded:
>> ---
>> libavcodec/dpx.c | 19 ++++++++++++++-----
>> 1 files changed, 14 insertions(+), 5 deletions(-)
>>
>> diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
>> index ade4e8c..7fff985 100644
>> --- a/libavcodec/dpx.c
>> +++ b/libavcodec/dpx.c
>> @@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx,
>>
>> unsigned int rgbBuffer;
>>
>> + if (avpkt->size <= 0x324) {
>> + av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n");
>> + return AVERROR_INVALIDDATA;
>> + }
>> +
>> magic_num = AV_RB32(buf);
>> buf += 4;
>>
>> @@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx,
>> }
>>
>> offset = read32(&buf, endian);
>> + if (avpkt->size <= offset) {
>> + av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n");
>> + return AVERROR_INVALIDDATA;
>> + }
>> // Need to end in 0x304 offset from start of file
>> buf = avpkt->data + 0x304;
>> w = read32(&buf, endian);
>> @@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx,
>> case 10:
>> avctx->pix_fmt = PIX_FMT_RGB48;
>> target_packet_size = 6;
>
>> - source_packet_size = elements * 2;
>> + source_packet_size = 4;
>
> Is this related?
Yes, it is needed for the check I moved to work also with 10bit formats.
More information about the ffmpeg-devel
mailing list