Re: [FFmpeg-devel] [libav-devel] [PATCH] xwddec: prevent overflow of lsize * avctx->height

Sat, 19 Dec 2015 03:18:07 -0800 

On 19.12.2015 01:32, Michael Niedermayer wrote:
> On Fri, Dec 18, 2015 at 08:13:06PM +0100, Andreas Cadhalpun wrote:
>>  xwddec.c |    6 ++++++
>>  1 file changed, 6 insertions(+)
>> 0be27d89a669445b523bfdac99884065e3581f3c  
>> 0001-xwddec-prevent-overflow-of-lsize-avctx-height.patch
>> From fb40616d7b432680b92dc3adc44a5b5d12fac55d Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> Date: Fri, 18 Dec 2015 19:28:51 +0100
>> Subject: [PATCH] xwddec: prevent overflow of lsize * avctx->height
>>
>> This is used to check if the input buffer is larger enough, so if this
>> overflows it can cause a false negative leading to a segmentation fault
>> in bytestream2_get_bufferu.
> 
> cant the addition overflow too in the input buffer check ?

Probably.

> if so then using 64bit in the input buffer check would avoid the
> need for a explicit check on lsize

Indeed, that's simpler. New patch attached.

Best regards,
Andreas


>From 8c0d712cfa6bc7e429826d330887be9463006534 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Fri, 18 Dec 2015 19:28:51 +0100
Subject: [PATCH] xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is larger enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavcodec/xwddec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 2febedc..64cd841 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     }
 
-    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) {
+    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) {
         av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
         return AVERROR_INVALIDDATA;
     }
-- 
2.6.2


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to