On Sat, Dec 19, 2015 at 11:49:02PM +0100, Andreas Cadhalpun wrote:
> A negative bits_per_coded_sample doesn't make sense.
> If it is too large, the size calculation for av_get_packet overflows,
> resulting in allocation of a too small buffer.
>
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
> libavformat/mlvdec.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> index 4b3bdc1..2e57aae 100644
> --- a/libavformat/mlvdec.c
> +++ b/libavformat/mlvdec.c
> @@ -135,6 +135,15 @@ static int scan_file(AVFormatContext *avctx, AVStream
> *vst, AVStream *ast, int f
> avpriv_request_sample(avctx, "raw api version");
> avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
> vst->codec->bits_per_coded_sample = avio_rl32(pb);
> + if (vst->codec->bits_per_coded_sample < 0 ||
> + (vst->codec->width && vst->codec->height &&
> + vst->codec->bits_per_coded_sample > (INT_MAX - 7) /
> (vst->codec->width * vst->codec->height))) {
> + av_log(avctx, AV_LOG_ERROR,
> + "invalid bits_per_coded_sample %d (size: %dx%d)\n",
> + vst->codec->bits_per_coded_sample,
> + vst->codec->width, vst->codec->height);
> + return AVERROR_INVALIDDATA;
> + }
> avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh,
> active_area, exposure_bias
> if (avio_rl32(pb) != 0x2010100) /* RGGB */
> avpriv_request_sample(avctx, "cfa_pattern");
> --
> 2.6.2Looks good. -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
