[FFmpeg-devel] [PATCH 1/3] exr: limit expected_len to tmp buffer size

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Wed Nov 16 21:55:52 EET 2016


This fixes crashes due to pointer corruption caused by invalid writes.

The problem was introduced in commit
03152e74dfdc7f438cb4a10402c4de744e807e22.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/exr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c250eea..54869d2 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -841,6 +841,8 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src,
         }
     }
 
+    expected_len = FFMIN(expected_len, uncompressed_size);
+
     dest_len = expected_len;
 
     if (uncompress(td->tmp, &dest_len, src, compressed_size) != Z_OK) {
-- 
2.10.2


More information about the ffmpeg-devel mailing list