[FFmpeg-devel] [PATCH 2/3] mlvdec: validate bits_per_coded_sample

Michael Niedermayer michael at niedermayer.cc
Sun Dec 20 00:55:54 CET 2015


On Sat, Dec 19, 2015 at 11:49:02PM +0100, Andreas Cadhalpun wrote:
> A negative bits_per_coded_sample doesn't make sense.
> If it is too large, the size calculation for av_get_packet overflows,
> resulting in allocation of a too small buffer.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavformat/mlvdec.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> index 4b3bdc1..2e57aae 100644
> --- a/libavformat/mlvdec.c
> +++ b/libavformat/mlvdec.c
> @@ -135,6 +135,15 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f
>                  avpriv_request_sample(avctx, "raw api version");
>              avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
>              vst->codec->bits_per_coded_sample = avio_rl32(pb);
> +            if (vst->codec->bits_per_coded_sample < 0 ||
> +                (vst->codec->width && vst->codec->height &&

> +                vst->codec->bits_per_coded_sample > (INT_MAX - 7) / (vst->codec->width * vst->codec->height))) {

w*h can overflow
might be easier to calculate it in unsigned 64bit and then check
the value also could be reused to ensure it wont get out of sync with
the allocation



> +                av_log(avctx, AV_LOG_ERROR,
> +                       "invalid bits_per_coded_sample %d (size: %dx%d)\n",
> +                       vst->codec->bits_per_coded_sample,
> +                       vst->codec->width, vst->codec->height);
> +                return AVERROR_INVALIDDATA;
> +            }
>              avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias
>              if (avio_rl32(pb) != 0x2010100) /* RGGB */
>                  avpriv_request_sample(avctx, "cfa_pattern");
> -- 
> 2.6.2
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151220/f562df4b/attachment.sig>


More information about the ffmpeg-devel mailing list