On Thu, Nov 24, 2011 at 11:26:41AM +0100, Anton Khirnov wrote:
> From: Reimar Döffinger <[email protected]>
>
> There were multiple issues, for example might we have to re-run
> the decompression when the size of the buffer increased,
> we should always use a decompression buffer large enough for
> the header (so we do not get stuck when the size is too small).
>
> Signed-off-by: Anton Khirnov <[email protected]>
> ---
> libavcodec/nuv.c | 38 ++++++++++++++++++++++++++------------
> 1 files changed, 26 insertions(+), 12 deletions(-)
>
> diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
> index 7cb94cb..126904a 100644
> --- a/libavcodec/nuv.c
> +++ b/libavcodec/nuv.c
> @@ -20,6 +20,7 @@
> */
> #include <stdio.h>
> #include <stdlib.h>
> +#include <limits.h>
I have a bad feeling about this include.
> #include "libavutil/bswap.h"
> #include "libavutil/lzo.h"
> @@ -112,19 +113,23 @@ static int codec_reinit(AVCodecContext *avctx, int
> width, int height, int qualit
> if (quality >= 0)
> get_quant_quality(c, quality);
> if (width != c->width || height != c->height) {
> - if (av_image_check_size(height, width, 0, avctx) < 0)
> - return 0;
> + // also reserve space for a possible additional header
> + int buf_size = 24 + height * width * 3 / 2 + AV_LZO_OUTPUT_PADDING;
> + if (av_image_check_size(height, width, 0, avctx) < 0 ||
> + buf_size > INT_MAX/8)
> + return -1;
buf_size check seems to be quite arbitrary
The rest looks hacky but more or less acceptable.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
