diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2021-04-03 15:19:22 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-04-03 19:43:39 +0200 |
| commit | a80b0ee981c45d25651892f96a03650ed6f430e1 (patch) | |
| tree | eaf705fb902c35040edd74f1cdb77251af497c4a | |
| parent | de40b2fe416bad556b7f2b7f58c1df2aab90cbfa (diff) | |
| download | ffmpeg-a80b0ee981c45d25651892f96a03650ed6f430e1.tar.gz | |
avcodec/cfhd: Require valid setup before Lowpass coefficients, BandHeader and BandSecondPass
Previously the code skipped all security checks when these where encountered but prior data was incorrect.
Also replace an always true condition by an assert
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b88c88fa1888c47b0767d84bfebf1fd656c7846)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/cfhd.c | 39 |
1 files changed, 27 insertions, 12 deletions
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index d719fbd65d..8bf910cde6 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -701,11 +701,18 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, coeff_data = s->plane[s->channel_num].subband[s->subband_num_actual]; /* Lowpass coefficients */ - if (tag == BitstreamMarker && data == 0xf0f && s->a_width && s->a_height) { - int lowpass_height = s->plane[s->channel_num].band[0][0].height; - int lowpass_width = s->plane[s->channel_num].band[0][0].width; - int lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height; - int lowpass_a_width = s->plane[s->channel_num].band[0][0].a_width; + if (tag == BitstreamMarker && data == 0xf0f) { + int lowpass_height, lowpass_width, lowpass_a_height, lowpass_a_width; + + if (!s->a_width || !s->a_height) { + ret = AVERROR_INVALIDDATA; + goto end; + } + + lowpass_height = s->plane[s->channel_num].band[0][0].height; + lowpass_width = s->plane[s->channel_num].band[0][0].width; + lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height; + lowpass_a_width = s->plane[s->channel_num].band[0][0].a_width; if (lowpass_width < 3 || lowpass_width > lowpass_a_width) { @@ -755,17 +762,25 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Lowpass coefficients %d\n", lowpass_width * lowpass_height); } - if ((tag == BandHeader || tag == BandSecondPass) && s->subband_num_actual != 255 && s->a_width && s->a_height) { - int highpass_height = s->plane[s->channel_num].band[s->level][s->subband_num].height; - int highpass_width = s->plane[s->channel_num].band[s->level][s->subband_num].width; - int highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width; - int highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height; - int highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride; + av_assert0(s->subband_num_actual != 255); + if (tag == BandHeader || tag == BandSecondPass) { + int highpass_height, highpass_width, highpass_a_width, highpass_a_height, highpass_stride, a_expected; int expected; - int a_expected = highpass_a_height * highpass_a_width; int level, run, coeff; int count = 0, bytes; + if (!s->a_width || !s->a_height) { + ret = AVERROR_INVALIDDATA; + goto end; + } + + highpass_height = s->plane[s->channel_num].band[s->level][s->subband_num].height; + highpass_width = s->plane[s->channel_num].band[s->level][s->subband_num].width; + highpass_a_width = s->plane[s->channel_num].band[s->level][s->subband_num].a_width; + highpass_a_height = s->plane[s->channel_num].band[s->level][s->subband_num].a_height; + highpass_stride = s->plane[s->channel_num].band[s->level][s->subband_num].stride; + a_expected = highpass_a_height * highpass_a_width; + if (!got_buffer) { av_log(avctx, AV_LOG_ERROR, "No end of header tag found\n"); ret = AVERROR(EINVAL); |