On Wed, Nov 11, 2015 at 1:15 AM, Andreas Cadhalpun <andreas.cadhal...@googlemail.com> wrote: > A too small buffer will cause segfaults somewhere below > decompress_texture_thread. > > Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > --- > libavcodec/dds.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/libavcodec/dds.c b/libavcodec/dds.c > index 324e665..c918cf0 100644 > --- a/libavcodec/dds.c > +++ b/libavcodec/dds.c > @@ -642,9 +642,18 @@ static int dds_decode(AVCodecContext *avctx, void *data, > return ret; > > if (ctx->compressed) { > + int size = (avctx->coded_height / TEXTURE_BLOCK_H) * > + (avctx->coded_width / TEXTURE_BLOCK_W) * ctx->tex_ratio; > ctx->slice_count = av_clip(avctx->thread_count, 1, > avctx->coded_height / TEXTURE_BLOCK_H); > > + if (bytestream2_get_bytes_left(gbc) < size) { > + av_log(avctx, AV_LOG_ERROR, > + "Compressed Buffer is too small (%d < %d).\n", > + bytestream2_get_bytes_left(gbc), size); > + return AVERROR_INVALIDDATA; > + } > + > /* Use the decompress function on the texture, one block per thread. > */ > ctx->tex_data = gbc->buffer; > avctx->execute2(avctx, decompress_texture_thread, frame, NULL, > ctx->slice_count); > --
Not sure if we should check this before the ff_get_buffer to avoid an allocation in case of error, but I think the patch is correct. -- Vittorio _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel