Re: [libav-devel] [PATCH 1/3] DPX decoder: add buffer size checks.

Sun, 01 May 2011 08:26:43 -0700 

On 5/1/11 3:03 PM, Reinhard Tartler wrote:

From: Reimar Döffinger<[email protected]>

---
  libavcodec/dpx.c |   19 ++++++++++++++-----
  1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index 36a4a39..82891d6 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx,

      unsigned int rgbBuffer;

+    if (avpkt->size<= 0x324) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n");
+        return AVERROR_INVALIDDATA;
+    }
+
      magic_num = AV_RB32(buf);
      buf += 4;

@@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx,
      }

      offset = read32(&buf, endian);
+    if (avpkt->size<= offset) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n");
+        return AVERROR_INVALIDDATA;
+    }
      // Need to end in 0x304 offset from start of file
      buf = avpkt->data + 0x304;
      w = read32(&buf, endian);
@@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx,
          case 10:
              avctx->pix_fmt = PIX_FMT_RGB48;
              target_packet_size = 6;
-            source_packet_size = elements * 2;
+            source_packet_size = 4;
              break;
          case 12:
          case 16:
@@ -156,6 +165,10 @@ static int decode_frame(AVCodecContext *avctx,
      ptr    = p->data[0];
      stride = p->linesize[0];

+    if (source_packet_size*avctx->width*avctx->height>  buf_end - buf) {
+        av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+        return -1;
+    }
      switch (bits_per_color) {
          case 10:
              for (x = 0; x<  avctx->height; x++) {
@@ -173,10 +186,6 @@ static int decode_frame(AVCodecContext *avctx,
          case 8:
          case 12: // Treat 12-bit as 16-bit
          case 16:
-            if (source_packet_size*avctx->width*avctx->height>  buf_end - buf) 
{
-                av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid 
header?\n");
-                return -1;
-            }
              if (source_packet_size == target_packet_size) {
                  for (x = 0; x<  avctx->height; x++) {
                      memcpy(ptr, buf, target_packet_size*avctx->width);
Seems ok, I'd make the blocks have all a space before and one after, but could be done later. 

lu
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to