[FFmpeg-devel] [PATCH 2/2] avformat/apngdec: validate frame dimensions.

Michael Niedermayer michaelni at gmx.at
Wed Nov 26 00:02:54 CET 2014


On Tue, Nov 25, 2014 at 10:52:22AM +0100, Benoit Fouet wrote:
> ---
>  libavformat/apngdec.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
> index dac71f1..e9c87a1 100644
> --- a/libavformat/apngdec.c
> +++ b/libavformat/apngdec.c
> @@ -295,7 +295,9 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket
>          height != s->streams[0]->codec->height ||
>          x_offset != 0 ||
>          y_offset != 0) {
> -        if (sequence_number == 0)
> +        if (sequence_number == 0 ||
> +            width  + x_offset > s->streams[0]->codec->width ||
> +            height + y_offset > s->streams[0]->codec->height)

the addition can overflow

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20141126/a0c09f57/attachment.asc>


More information about the ffmpeg-devel mailing list