aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReimar Döffinger <Reimar.Doeffinger@gmx.de>2011-03-25 18:58:07 +0100
committerReinhard Tartler <siretart@tauware.de>2011-05-01 19:35:55 +0200
commit3777ea13fbf690003f8b0d83a8bffb6e1d71c3df (patch)
tree04064eef1a251a2a530375c7a496dc639de87275
parent63b1866ae1e19ff0d694746a84e2eac859cda462 (diff)
downloadffmpeg-3777ea13fbf690003f8b0d83a8bffb6e1d71c3df.tar.gz
DPX decoder: add buffer size checks.
-rw-r--r--libavcodec/dpx.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index 36a4a39b5d..82891d6b42 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx,
unsigned int rgbBuffer;
+ if (avpkt->size <= 0x324) {
+ av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n");
+ return AVERROR_INVALIDDATA;
+ }
+
magic_num = AV_RB32(buf);
buf += 4;
@@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx,
}
offset = read32(&buf, endian);
+ if (avpkt->size <= offset) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n");
+ return AVERROR_INVALIDDATA;
+ }
// Need to end in 0x304 offset from start of file
buf = avpkt->data + 0x304;
w = read32(&buf, endian);
@@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx,
case 10:
avctx->pix_fmt = PIX_FMT_RGB48;
target_packet_size = 6;
- source_packet_size = elements * 2;
+ source_packet_size = 4;
break;
case 12:
case 16:
@@ -156,6 +165,10 @@ static int decode_frame(AVCodecContext *avctx,
ptr = p->data[0];
stride = p->linesize[0];
+ if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+ av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+ return -1;
+ }
switch (bits_per_color) {
case 10:
for (x = 0; x < avctx->height; x++) {
@@ -173,10 +186,6 @@ static int decode_frame(AVCodecContext *avctx,
case 8:
case 12: // Treat 12-bit as 16-bit
case 16:
- if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
- av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
- return -1;
- }
if (source_packet_size == target_packet_size) {
for (x = 0; x < avctx->height; x++) {
memcpy(ptr, buf, target_packet_size*avctx->width);