[FFmpeg-devel] [PATCH] pnmdec: make sure v is capped by maxval

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Wed Nov 9 22:05:17 EET 2016


On 09.11.2016 11:10, Michael Niedermayer wrote:
> On Wed, Nov 09, 2016 at 01:11:29AM +0100, Andreas Cadhalpun wrote:
>> Otherwise put_bits can be called with a value that doesn't fit in the
>> sample_len, causing an assertion failure.
>> ---
>>  libavcodec/pnmdec.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
>> index ca97cc3..0381ea6 100644
>> --- a/libavcodec/pnmdec.c
>> +++ b/libavcodec/pnmdec.c
>> @@ -145,6 +145,10 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
>>                          /* read a sequence of digits */
>>                          do {
>>                              v = 10*v + c;
>> +                             if (v > s->maxval) {
>> +                                av_log(avctx, AV_LOG_ERROR, "value %d larger than maxval %d\n", v, s->maxval);
>> +                                return AVERROR_INVALIDDATA;
>> +                            }
> 
> indention is a bit noisy

Fixed.

> i think it can overflow if maxval is large,

I've added an explicit check for v < 0, which should catch that.

> it would be faster to check outside the loop

However, such a check could pass if v overflowed so much that it's
in the valid range again, so I'd rather not do that.

Updated patch is attached.

Best regards,
Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pnmdec-make-sure-v-is-capped-by-maxval.patch
Type: text/x-diff
Size: 1172 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161109/7b3e0530/attachment.patch>


More information about the ffmpeg-devel mailing list