[FFmpeg-devel] avcodec/gifdec: truncate too big width/height for invalid gif files

Submitted by Paul B Mahol on Dec. 10, 2018, 12:34 p.m.

Details

Message ID 20181210123453.10874-1-onemda@gmail.com
State New
Headers show

Commit Message

Paul B Mahol Dec. 10, 2018, 12:34 p.m.
Fixes #6874.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/gifdec.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

Comments

Tomas Härdin Dec. 12, 2018, 12:47 p.m.
mån 2018-12-10 klockan 13:34 +0100 skrev Paul B Mahol:
> Fixes #6874.
> 
> > Signed-off-by: Paul B Mahol <onemda@gmail.com>
> ---
>  libavcodec/gifdec.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
> index 54f1d4c0ba..0eb1c21d99 100644
> --- a/libavcodec/gifdec.c
> +++ b/libavcodec/gifdec.c
> @@ -179,12 +179,20 @@ static int gif_read_image(GifState *s, AVFrame *frame)
>      }
>  
>      /* verify that all the image is inside the screen dimensions */
> -    if (!width || width > s->screen_width || left >= s->screen_width) {
> -        av_log(s->avctx, AV_LOG_ERROR, "Invalid image width.\n");
> +    if (!width || width > s->screen_width) {
> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid image width: %d, truncating.\n", width);
> +        width = s->screen_width;
> +    }
> +    if (left >= s->screen_width) {
> +        av_log(s->avctx, AV_LOG_ERROR, "Invalid left position: %d.\n", left);
>          return AVERROR_INVALIDDATA;
>      }
> -    if (!height || height > s->screen_height || top >= s->screen_height) {
> -        av_log(s->avctx, AV_LOG_ERROR, "Invalid image height.\n");
> +    if (!height || height > s->screen_height) {
> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid image height, truncating: %d.\n", height);
> +        height = s->screen_height;
> +    }
> +    if (top >= s->screen_height) {
> +        av_log(s->avctx, AV_LOG_ERROR, "Invalid top position: %d.\n", top);
>          return AVERROR_INVALIDDATA;
>      }
>      if (left + width > s->screen_width) {

Looks OK. Out of curiosity: do the files decode to something sensible,
or mostly glitchy goodness?

/Tomas
Paul B Mahol Dec. 12, 2018, 12:49 p.m.
On 12/12/18, Tomas Härdin <tjoppen@acc.umu.se> wrote:
> mån 2018-12-10 klockan 13:34 +0100 skrev Paul B Mahol:
>> Fixes #6874.
>>
>> > Signed-off-by: Paul B Mahol <onemda@gmail.com>
>> ---
>>  libavcodec/gifdec.c | 16 ++++++++++++----
>>  1 file changed, 12 insertions(+), 4 deletions(-)
>>
>> diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
>> index 54f1d4c0ba..0eb1c21d99 100644
>> --- a/libavcodec/gifdec.c
>> +++ b/libavcodec/gifdec.c
>> @@ -179,12 +179,20 @@ static int gif_read_image(GifState *s, AVFrame
>> *frame)
>>      }
>>
>>      /* verify that all the image is inside the screen dimensions */
>> -    if (!width || width > s->screen_width || left >= s->screen_width) {
>> -        av_log(s->avctx, AV_LOG_ERROR, "Invalid image width.\n");
>> +    if (!width || width > s->screen_width) {
>> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid image width: %d,
>> truncating.\n", width);
>> +        width = s->screen_width;
>> +    }
>> +    if (left >= s->screen_width) {
>> +        av_log(s->avctx, AV_LOG_ERROR, "Invalid left position: %d.\n",
>> left);
>>          return AVERROR_INVALIDDATA;
>>      }
>> -    if (!height || height > s->screen_height || top >= s->screen_height)
>> {
>> -        av_log(s->avctx, AV_LOG_ERROR, "Invalid image height.\n");
>> +    if (!height || height > s->screen_height) {
>> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid image height,
>> truncating: %d.\n", height);
>> +        height = s->screen_height;
>> +    }
>> +    if (top >= s->screen_height) {
>> +        av_log(s->avctx, AV_LOG_ERROR, "Invalid top position: %d.\n",
>> top);
>>          return AVERROR_INVALIDDATA;
>>      }
>>      if (left + width > s->screen_width) {
>
> Looks OK. Out of curiosity: do the files decode to something sensible,
> or mostly glitchy goodness?

Already applied, one buggy file decodes ok, its linked in above
mentioned bug report.
Carl Eugen Hoyos Dec. 12, 2018, 2:59 p.m.
2018-12-12 13:47 GMT+01:00, Tomas Härdin <tjoppen@acc.umu.se>:
> mån 2018-12-10 klockan 13:34 +0100 skrev Paul B Mahol:
>> Fixes #6874.
>>
>> > Signed-off-by: Paul B Mahol <onemda@gmail.com>
>> ---
>>  libavcodec/gifdec.c | 16 ++++++++++++----
>>  1 file changed, 12 insertions(+), 4 deletions(-)
>>
>> diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
>> index 54f1d4c0ba..0eb1c21d99 100644
>> --- a/libavcodec/gifdec.c
>> +++ b/libavcodec/gifdec.c
>> @@ -179,12 +179,20 @@ static int gif_read_image(GifState *s, AVFrame
>> *frame)
>>      }
>>
>>      /* verify that all the image is inside the screen dimensions */
>> -    if (!width || width > s->screen_width || left >= s->screen_width) {
>> -        av_log(s->avctx, AV_LOG_ERROR, "Invalid image width.\n");
>> +    if (!width || width > s->screen_width) {
>> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid image width: %d,
>> truncating.\n", width);
>> +        width = s->screen_width;
>> +    }
>> +    if (left >= s->screen_width) {
>> +        av_log(s->avctx, AV_LOG_ERROR, "Invalid left position: %d.\n",
>> left);
>>          return AVERROR_INVALIDDATA;
>>      }
>> -    if (!height || height > s->screen_height || top >= s->screen_height)
>> {
>> -        av_log(s->avctx, AV_LOG_ERROR, "Invalid image height.\n");
>> +    if (!height || height > s->screen_height) {
>> +        av_log(s->avctx, AV_LOG_WARNING, "Invalid image height,
>> truncating: %d.\n", height);
>> +        height = s->screen_height;
>> +    }
>> +    if (top >= s->screen_height) {
>> +        av_log(s->avctx, AV_LOG_ERROR, "Invalid top position: %d.\n",
>> top);
>>          return AVERROR_INVALIDDATA;
>>      }
>>      if (left + width > s->screen_width) {
>
> Looks OK. Out of curiosity: do the files decode to something sensible,
> or mostly glitchy goodness?

I was unable to find another player that failed for the sample
(may all be libgif-based).

Carl Eugen

Patch hide | download patch | download mbox

diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
index 54f1d4c0ba..0eb1c21d99 100644
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -179,12 +179,20 @@  static int gif_read_image(GifState *s, AVFrame *frame)
     }
 
     /* verify that all the image is inside the screen dimensions */
-    if (!width || width > s->screen_width || left >= s->screen_width) {
-        av_log(s->avctx, AV_LOG_ERROR, "Invalid image width.\n");
+    if (!width || width > s->screen_width) {
+        av_log(s->avctx, AV_LOG_WARNING, "Invalid image width: %d, truncating.\n", width);
+        width = s->screen_width;
+    }
+    if (left >= s->screen_width) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid left position: %d.\n", left);
         return AVERROR_INVALIDDATA;
     }
-    if (!height || height > s->screen_height || top >= s->screen_height) {
-        av_log(s->avctx, AV_LOG_ERROR, "Invalid image height.\n");
+    if (!height || height > s->screen_height) {
+        av_log(s->avctx, AV_LOG_WARNING, "Invalid image height, truncating: %d.\n", height);
+        height = s->screen_height;
+    }
+    if (top >= s->screen_height) {
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid top position: %d.\n", top);
         return AVERROR_INVALIDDATA;
     }
     if (left + width > s->screen_width) {