[FFmpeg-devel] [PATCH v2] avcodec/interplayvideo: Check sizes of decode buffers
Paul B Mahol
onemda at gmail.com
Mon Jul 3 12:43:05 EEST 2017
On 7/2/17, Hein-Pieter van Braam <hp at tmm.cx> wrote:
> Fixes: 6503 crash with fuzzed file
>
> Signed-off-by: Hein-Pieter van Braam <hp at tmm.cx>
> ---
> libavcodec/interplayvideo.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
> index d6f484a..86530e6 100644
> --- a/libavcodec/interplayvideo.c
> +++ b/libavcodec/interplayvideo.c
> @@ -972,6 +972,8 @@ static void
> ipvideo_decode_format_06_opcodes(IpvideoContext *s, AVFrame *frame)
> x, y, opcode, bytestream2_tell(&s->stream_ptr));
>
> s->pixel_ptr = frame->data[0] + x + y * frame->linesize[0];
> + if (s->pixel_ptr > (s->pixel_ptr +
> s->upper_motion_limit_offset))
> + return;
This looks strange.
> ipvideo_format_06_passes[pass](s, frame, opcode);
> }
> }
> @@ -1043,6 +1045,12 @@ static void
> ipvideo_decode_format_10_opcodes(IpvideoContext *s, AVFrame *frame)
> for (y = 0; y < s->avctx->height; y += 8) {
> for (x = 0; x < s->avctx->width; x += 8) {
> s->pixel_ptr = s->cur_decode_frame->data[0] + x + y *
> s->cur_decode_frame->linesize[0];
> + if (s->pixel_ptr > s->pixel_ptr +
> s->upper_motion_limit_offset)
> + return;
This too.
> +
> + if (s->cur_decode_frame->width != s->avctx->width ||
> + s->cur_decode_frame->height != s->avctx->height)
> + return;
>
> while (skip <= 0) {
> if (skip != -0x8000 && skip) {
> --
> 2.9.4
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
More information about the ffmpeg-devel
mailing list