diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2015-06-29 22:32:02 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-07-20 04:43:41 +0200 |
| commit | 917544b2eace14097b2e4437dc0df972e8016e97 (patch) | |
| tree | c9a97c8979aabc785d3eed9d75066de8858c76b3 | |
| parent | 873b08f4111af41d2456662db86075a450d3ca81 (diff) | |
| download | ffmpeg-917544b2eace14097b2e4437dc0df972e8016e97.tar.gz | |
avcodec/pngdec: Check values before updating context in decode_fctl_chunk()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b54ac8403bfea4e7fab0799ccfe728ba76959a38)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/pngdec.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 4a541d49a2..dd71f27015 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -810,6 +810,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, uint32_t length) { uint32_t sequence_number; + int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op; if (length != 26) return AVERROR_INVALIDDATA; @@ -820,23 +821,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, } sequence_number = bytestream2_get_be32(&s->gb); - s->cur_w = bytestream2_get_be32(&s->gb); - s->cur_h = bytestream2_get_be32(&s->gb); - s->x_offset = bytestream2_get_be32(&s->gb); - s->y_offset = bytestream2_get_be32(&s->gb); + cur_w = bytestream2_get_be32(&s->gb); + cur_h = bytestream2_get_be32(&s->gb); + x_offset = bytestream2_get_be32(&s->gb); + y_offset = bytestream2_get_be32(&s->gb); bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */ - s->dispose_op = bytestream2_get_byte(&s->gb); - s->blend_op = bytestream2_get_byte(&s->gb); + dispose_op = bytestream2_get_byte(&s->gb); + blend_op = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ if (sequence_number == 0 && - (s->cur_w != s->width || - s->cur_h != s->height || - s->x_offset != 0 || - s->y_offset != 0) || - s->cur_w <= 0 || s->cur_h <= 0 || - s->x_offset < 0 || s->y_offset < 0 || - s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset) + (cur_w != s->width || + cur_h != s->height || + x_offset != 0 || + y_offset != 0) || + cur_w <= 0 || cur_h <= 0 || + x_offset < 0 || y_offset < 0 || + cur_w > s->width - x_offset|| cur_h > s->height - y_offset) return AVERROR_INVALIDDATA; /* always (re)start with a clean frame */ @@ -850,6 +851,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, s->dispose_op = APNG_DISPOSE_OP_NONE; } + s->cur_w = cur_w; + s->cur_h = cur_h; + s->x_offset = x_offset; + s->y_offset = y_offset; + s->dispose_op = dispose_op; + s->blend_op = blend_op; + return 0; } |