diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2011-03-25 18:58:07 +0100 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2011-05-01 19:35:55 +0200 |
commit | 3777ea13fbf690003f8b0d83a8bffb6e1d71c3df (patch) | |
tree | 04064eef1a251a2a530375c7a496dc639de87275 | |
parent | 63b1866ae1e19ff0d694746a84e2eac859cda462 (diff) | |
download | ffmpeg-3777ea13fbf690003f8b0d83a8bffb6e1d71c3df.tar.gz |
DPX decoder: add buffer size checks.
-rw-r--r-- | libavcodec/dpx.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 36a4a39b5d..82891d6b42 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -68,6 +68,11 @@ static int decode_frame(AVCodecContext *avctx, unsigned int rgbBuffer; + if (avpkt->size <= 0x324) { + av_log(avctx, AV_LOG_ERROR, "Packet too small for DPX header\n"); + return AVERROR_INVALIDDATA; + } + magic_num = AV_RB32(buf); buf += 4; @@ -83,6 +88,10 @@ static int decode_frame(AVCodecContext *avctx, } offset = read32(&buf, endian); + if (avpkt->size <= offset) { + av_log(avctx, AV_LOG_ERROR, "Invalid data start offset\n"); + return AVERROR_INVALIDDATA; + } // Need to end in 0x304 offset from start of file buf = avpkt->data + 0x304; w = read32(&buf, endian); @@ -122,7 +131,7 @@ static int decode_frame(AVCodecContext *avctx, case 10: avctx->pix_fmt = PIX_FMT_RGB48; target_packet_size = 6; - source_packet_size = elements * 2; + source_packet_size = 4; break; case 12: case 16: @@ -156,6 +165,10 @@ static int decode_frame(AVCodecContext *avctx, ptr = p->data[0]; stride = p->linesize[0]; + if (source_packet_size*avctx->width*avctx->height > buf_end - buf) { + av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n"); + return -1; + } switch (bits_per_color) { case 10: for (x = 0; x < avctx->height; x++) { @@ -173,10 +186,6 @@ static int decode_frame(AVCodecContext *avctx, case 8: case 12: // Treat 12-bit as 16-bit case 16: - if (source_packet_size*avctx->width*avctx->height > buf_end - buf) { - av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n"); - return -1; - } if (source_packet_size == target_packet_size) { for (x = 0; x < avctx->height; x++) { memcpy(ptr, buf, target_packet_size*avctx->width); |