diff options
author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-10 02:33:19 +0200 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2021-02-27 07:20:56 +0100 |
commit | 2617956abd5ac8339cb2f3fb4ab7b64f83743ebd (patch) | |
tree | 05b428eeb2da2f58f7e61ef8ec750c4f0d5ef950 /libavformat | |
parent | 45c83744fd3b813730be6f9c09341be77e7518ce (diff) | |
download | ffmpeg-2617956abd5ac8339cb2f3fb4ab7b64f83743ebd.tar.gz |
avformat/mlvdec: Only store dimensions after having validated them
Otherwise it might happen that invalid dimensions are used when reading
a video packet; this might lead to undefined overflow.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d661cfc184bcf0bb13bb11fdba6f5d4493675f85)
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/mlvdec.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 50913fa685..f08aabf4e0 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -132,23 +132,25 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f break; size -= 16; if (vst && type == MKTAG('R','A','W','I') && size >= 164) { - vst->codecpar->width = avio_rl16(pb); - vst->codecpar->height = avio_rl16(pb); - ret = av_image_check_size(vst->codecpar->width, vst->codecpar->height, 0, avctx); + unsigned width = avio_rl16(pb); + unsigned height = avio_rl16(pb); + unsigned bits_per_coded_sample; + ret = av_image_check_size(width, height, 0, avctx); if (ret < 0) return ret; if (avio_rl32(pb) != 1) avpriv_request_sample(avctx, "raw api version"); avio_skip(pb, 20); // pointer, width, height, pitch, frame_size - vst->codecpar->bits_per_coded_sample = avio_rl32(pb); - if (vst->codecpar->bits_per_coded_sample < 0 || - vst->codecpar->bits_per_coded_sample > (INT_MAX - 7) / (vst->codecpar->width * vst->codecpar->height)) { + bits_per_coded_sample = avio_rl32(pb); + if (bits_per_coded_sample > (INT_MAX - 7) / (width * height)) { av_log(avctx, AV_LOG_ERROR, - "invalid bits_per_coded_sample %d (size: %dx%d)\n", - vst->codecpar->bits_per_coded_sample, - vst->codecpar->width, vst->codecpar->height); + "invalid bits_per_coded_sample %u (size: %ux%u)\n", + bits_per_coded_sample, width, height); return AVERROR_INVALIDDATA; } + vst->codecpar->width = width; + vst->codecpar->height = height; + vst->codecpar->bits_per_coded_sample = bits_per_coded_sample; avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias if (avio_rl32(pb) != 0x2010100) /* RGGB */ avpriv_request_sample(avctx, "cfa_pattern"); |