[FFmpeg-devel] [PATCH] avcodec/ffv1dec: fix crash if number of slice counts change midstream
Paul B Mahol
onemda at gmail.com
Thu Sep 24 21:45:35 CEST 2015
Everyting points this is currently unsupported.
Signed-off-by: Paul B Mahol <onemda at gmail.com>
---
libavcodec/ffv1dec.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 557b1a0..886f172 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -776,18 +776,25 @@ static int read_header(FFV1Context *f)
return AVERROR_INVALIDDATA;
}
} else if (f->version < 3) {
- f->slice_count = get_symbol(c, state, 0);
+ if (get_symbol(c, state, 0) != f->slice_count) {
+ av_log(f->avctx, AV_LOG_ERROR, "midstream change of slice count is unsupported\n");
+ return AVERROR_INVALIDDATA;
+ }
} else {
const uint8_t *p = c->bytestream_end;
- for (f->slice_count = 0;
- f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start;
- f->slice_count++) {
+ for (i = 0;
+ i < MAX_SLICES && 3 < p - c->bytestream_start;
+ i++) {
int trailer = 3 + 5*!!f->ec;
int size = AV_RB24(p-trailer);
if (size + trailer > p - c->bytestream_start)
break;
p -= size + trailer;
}
+ if (i != f->slice_count) {
+ av_log(f->avctx, AV_LOG_ERROR, "midstream change of slice count is unsupported\n");
+ return AVERROR_INVALIDDATA;
+ }
}
if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) {
av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count);
--
1.9.1
More information about the ffmpeg-devel
mailing list