[FFmpeg-devel] [libav-devel] [PATCH 2/4] dds: validate compressed source buffer size

Vittorio Giovara vittorio.giovara at gmail.com
Wed Nov 11 12:31:04 CET 2015


On Wed, Nov 11, 2015 at 1:15 AM, Andreas Cadhalpun
<andreas.cadhalpun at googlemail.com> wrote:
> A too small buffer will cause segfaults somewhere below
> decompress_texture_thread.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavcodec/dds.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/libavcodec/dds.c b/libavcodec/dds.c
> index 324e665..c918cf0 100644
> --- a/libavcodec/dds.c
> +++ b/libavcodec/dds.c
> @@ -642,9 +642,18 @@ static int dds_decode(AVCodecContext *avctx, void *data,
>          return ret;
>
>      if (ctx->compressed) {
> +        int size = (avctx->coded_height / TEXTURE_BLOCK_H) *
> +                   (avctx->coded_width / TEXTURE_BLOCK_W) * ctx->tex_ratio;
>          ctx->slice_count = av_clip(avctx->thread_count, 1,
>                                     avctx->coded_height / TEXTURE_BLOCK_H);
>
> +        if (bytestream2_get_bytes_left(gbc) < size) {
> +            av_log(avctx, AV_LOG_ERROR,
> +                   "Compressed Buffer is too small (%d < %d).\n",
> +                   bytestream2_get_bytes_left(gbc), size);
> +            return AVERROR_INVALIDDATA;
> +        }
> +
>          /* Use the decompress function on the texture, one block per thread. */
>          ctx->tex_data = gbc->buffer;
>          avctx->execute2(avctx, decompress_texture_thread, frame, NULL, ctx->slice_count);
> --

Not sure if we should check this before the ff_get_buffer to avoid an
allocation in case of error, but I think the patch is correct.
-- 
Vittorio


More information about the ffmpeg-devel mailing list