On Fri, Jun 17, 2016 at 8:32 AM, Anton Khirnov <[email protected]> wrote:
> Quoting Vittorio Giovara (2016-06-06 18:31:56)
>> From: Paul B Mahol <[email protected]>
>>
>> + s->slice_height = bytestream2_get_le32(&gbyte);
>> + if ((s->slice_height <= 0) || (s->slice_height > INT_MAX -
>> avctx->coded_height)) {
>> + av_log(avctx, AV_LOG_ERROR,
>> + "invalid slice height: %ld\n", s->slice_height);
>> + return AVERROR_INVALIDDATA;
>> + }
>> +
>> + bytestream2_skip(&gbyte, 4);
>> +
>> + s->nb_slices = (avctx->coded_height + s->slice_height - 1) /
>> s->slice_height;
>
> You're not checking that the number of slices is larger than zero (or
> equivalently that the coded height is non-zero).
>
> Also, are the non-coded dimensions ever set?
No, I changed the code above this block to use ff_set_dimensions which
should address both points.
>> + if (s->nb_slices > INT_MAX / sizeof(Slice)) {
>> + av_log(avctx, AV_LOG_ERROR,
>> + "invalid number of slices: %d\n", s->nb_slices);
>> + return AVERROR_INVALIDDATA;
>> + }
>> +
>> + for (i = 0; i < s->planes; i++) {
>> + av_fast_malloc(&s->slices[i], (unsigned *)&s->slices_size[i],
>> s->nb_slices * sizeof(Slice));
>> + if (!s->slices[i])
>> + return AVERROR(ENOMEM);
>> +
>> + offset = bytestream2_get_le32(&gbyte);
>> + if (offset >= avpkt->size - header_size)
>> + return AVERROR_INVALIDDATA;
>> +
>> + if (i == 0)
>> + first_offset = offset;
>> +
>> + for (j = 0; j < s->nb_slices - 1; j++) {
>> + s->slices[i][j].start = offset + header_size;
>> + next_offset = bytestream2_get_le32(&gbyte);
>
> You should check that this is larger than the previous offset here. And
> probably move the check from the end of the loop here as well.
ok
--
Vittorio
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
