diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-10 02:33:19 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-18 14:26:40 +0200 |
| commit | d661cfc184bcf0bb13bb11fdba6f5d4493675f85 (patch) | |
| tree | 6af2e5d60a019151f85d3f445f46b4ec655bfabd /libavformat/mlvdec.c | |
| parent | 0d560873da2fc851955e95957473026d2d2243cc (diff) | |
| download | ffmpeg-d661cfc184bcf0bb13bb11fdba6f5d4493675f85.tar.gz | |
avformat/mlvdec: Only store dimensions after having validated them
Otherwise it might happen that invalid dimensions are used when reading
a video packet; this might lead to undefined overflow.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Diffstat (limited to 'libavformat/mlvdec.c')
| -rw-r--r-- | libavformat/mlvdec.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 50913fa685..f08aabf4e0 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -132,23 +132,25 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f break; size -= 16; if (vst && type == MKTAG('R','A','W','I') && size >= 164) { - vst->codecpar->width = avio_rl16(pb); - vst->codecpar->height = avio_rl16(pb); - ret = av_image_check_size(vst->codecpar->width, vst->codecpar->height, 0, avctx); + unsigned width = avio_rl16(pb); + unsigned height = avio_rl16(pb); + unsigned bits_per_coded_sample; + ret = av_image_check_size(width, height, 0, avctx); if (ret < 0) return ret; if (avio_rl32(pb) != 1) avpriv_request_sample(avctx, "raw api version"); avio_skip(pb, 20); // pointer, width, height, pitch, frame_size - vst->codecpar->bits_per_coded_sample = avio_rl32(pb); - if (vst->codecpar->bits_per_coded_sample < 0 || - vst->codecpar->bits_per_coded_sample > (INT_MAX - 7) / (vst->codecpar->width * vst->codecpar->height)) { + bits_per_coded_sample = avio_rl32(pb); + if (bits_per_coded_sample > (INT_MAX - 7) / (width * height)) { av_log(avctx, AV_LOG_ERROR, - "invalid bits_per_coded_sample %d (size: %dx%d)\n", - vst->codecpar->bits_per_coded_sample, - vst->codecpar->width, vst->codecpar->height); + "invalid bits_per_coded_sample %u (size: %ux%u)\n", + bits_per_coded_sample, width, height); return AVERROR_INVALIDDATA; } + vst->codecpar->width = width; + vst->codecpar->height = height; + vst->codecpar->bits_per_coded_sample = bits_per_coded_sample; avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias if (avio_rl32(pb) != 0x2010100) /* RGGB */ avpriv_request_sample(avctx, "cfa_pattern"); |