[FFmpeg-devel] [PATCH 4/7] Check for invalid/corrupted bitstream in sun raster decoder.
Laurent Aimar
fenrir at elivagar.org
Wed Sep 28 00:35:58 CEST 2011
> > diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c
> > index 57b0734..494af5d 100644
> > --- a/libavcodec/sunrast.c
> > +++ b/libavcodec/sunrast.c
> > @@ -68,21 +68,29 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
> > type = AV_RB32(buf+20);
> > maptype = AV_RB32(buf+24);
> > maplength = AV_RB32(buf+28);
> > + buf += 32;
> >
> > - if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
> > - av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
> > + if (type < RT_OLD || type > RT_FORMAT_IFF) {
> > + av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
> > return -1;
> > }
> > - if (type > RT_FORMAT_IFF) {
> > - av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
> > + if (av_image_check_size(w, h, 0, avctx)) {
> > + av_log(avctx, AV_LOG_ERROR, "invalid image size\n");
> > return -1;
> > }
> > if (maptype & ~1) {
> > av_log(avctx, AV_LOG_ERROR, "invalid colormap type\n");
> > return -1;
> > }
>
> > + if (maplength < 0) {
> > + av_log(avctx, AV_LOG_ERROR, "invalid map length\n");
> > + return -1;
> > + }
>
> This seems impossible, maplength is unsigned
You are right, I misread it.
Patch attached.
--
fenrir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Check-for-invalid-corrupted-bitstream-in-sun-raster-.patch
Type: text/x-diff
Size: 1934 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110928/f1e5b7e0/attachment.bin>
More information about the ffmpeg-devel
mailing list