[FFmpeg-devel] [PATCH] dpx: perform width/height upgrade and av_image_check_size earlier to prevent segfault on malformed input
Peter Ross
pross at xvid.org
Mon Nov 26 12:45:07 CET 2012
Signed-off-by: Peter Ross <pross at xvid.org>
---
No doubling up of checks required. Cheers,
libavcodec/dpx.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index bfc88b6..4d09efe 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -104,6 +104,11 @@ static int decode_frame(AVCodecContext *avctx,
buf = avpkt->data + 0x304;
w = read32(&buf, endian);
h = read32(&buf, endian);
+ if (av_image_check_size(w, h, 0, avctx))
+ return AVERROR(EINVAL);
+
+ if (w != avctx->width || h != avctx->height)
+ avcodec_set_dimensions(avctx, w, h);
// Need to end in 0x320 to read the descriptor
buf += 20;
@@ -182,10 +187,6 @@ static int decode_frame(AVCodecContext *avctx,
if (s->picture.data[0])
avctx->release_buffer(avctx, &s->picture);
- if (av_image_check_size(w, h, 0, avctx))
- return -1;
- if (w != avctx->width || h != avctx->height)
- avcodec_set_dimensions(avctx, w, h);
if (avctx->get_buffer(avctx, p) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return -1;
--
1.8.0
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121126/8c455a4b/attachment.asc>
More information about the ffmpeg-devel
mailing list