[FFmpeg-devel] [PATCH]lavc/pnmdec: Do not fail by default for truncated pbm files

Michael Niedermayer michael at niedermayer.cc
Mon Sep 5 10:21:02 EEST 2016 

On Sun, Sep 04, 2016 at 08:58:44PM +0200, Carl Eugen Hoyos wrote:
> Hi!
> 
> Some scanner - scannersoftware combination (HP_Officejet_Pro_X476dn_MFP 
> - sane) truncates trailing zeros in pbm files and FreeImage (a library 
> used in free and proprietary image software) reads such files.
> Attached patch copies this behaviour and fixes ticket #5795.
> 
> Please comment, Carl Eugen

>  pnmdec.c |   10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> fd31d6d029cade2e5eb2f2a705067cdaa2ab02d5  0001-lavc-pnmdec-Do-not-abort-by-default-for-truncated-pb.patch
> From af00c56b38b28e07bbba46031472da41300a8cf1 Mon Sep 17 00:00:00 2001
> From: Carl Eugen Hoyos <cehoyos at ag.or.at>
> Date: Sun, 4 Sep 2016 20:52:28 +0200
> Subject: [PATCH] lavc/pnmdec: Do not abort by default for truncated pbm
>  files.
> 
> Fixes ticket #5795.
> ---
>  libavcodec/pnmdec.c |   10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
> index d4261a4..0b7a0f6 100644
> --- a/libavcodec/pnmdec.c
> +++ b/libavcodec/pnmdec.c
> @@ -124,8 +124,12 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
>      do_read:
>          ptr      = p->data[0];
>          linesize = p->linesize[0];
> -        if (s->bytestream + n * avctx->height > s->bytestream_end)
> -            return AVERROR_INVALIDDATA;
> +        if (s->bytestream + n * avctx->height > s->bytestream_end) {
> +            av_log(avctx, AV_LOG_ERROR,
> +                   "Invalid truncated file\n");
> +            if (avctx->strict_std_compliance >= FF_COMPLIANCE_STRICT)
> +                return AVERROR_INVALIDDATA;
> +        }
>          if(s->type < 4 || (is_mono && s->type==7)){
>              for (i=0; i<avctx->height; i++) {
>                  PutBitContext pb;

> @@ -159,6 +163,8 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
>              }
>          }else{
>          for (i = 0; i < avctx->height; i++) {
> +            if (s->bytestream + n > s->bytestream_end)
> +                continue;

having a pointer point outside of 0..array length is undefined
behaviour (and can overflow in principle)


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160905/fbced6b5/attachment.sig>

More information about the ffmpeg-devel mailing list