diff mbox series

[FFmpeg-devel] avcodec/dpx: check for possible buffer overreads

Message ID 20210211230017.17360-1-onemda@gmail.com
State New
Headers show
Series [FFmpeg-devel] avcodec/dpx: check for possible buffer overreads
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Paul B Mahol Feb. 11, 2021, 11 p.m. UTC
Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/dpx.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Michael Niedermayer Feb. 12, 2021, 7:47 p.m. UTC | #1
On Fri, Feb 12, 2021 at 12:00:17AM +0100, Paul B Mahol wrote:
> Signed-off-by: Paul B Mahol <onemda@gmail.com>
> ---
>  libavcodec/dpx.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
> index 5372e3d586..68a2762017 100644
> --- a/libavcodec/dpx.c
> +++ b/libavcodec/dpx.c
> @@ -606,6 +606,9 @@ static int decode_frame(AVCodecContext *avctx,
>  
>      ff_set_sar(avctx, avctx->sample_aspect_ratio);
>  
> +    if (buf_size - offset < (((uint64_t)elements * avctx->width * avctx->height * bits_per_color) >> 3))
> +        return AVERROR_INVALIDDATA;

looks reasonable, i did not check that this is exactly correct for all
cases though

thx

[...]
Paul B Mahol Feb. 12, 2021, 8:04 p.m. UTC | #2
On Fri, Feb 12, 2021 at 8:48 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> On Fri, Feb 12, 2021 at 12:00:17AM +0100, Paul B Mahol wrote:
> > Signed-off-by: Paul B Mahol <onemda@gmail.com>
> > ---
> >  libavcodec/dpx.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
> > index 5372e3d586..68a2762017 100644
> > --- a/libavcodec/dpx.c
> > +++ b/libavcodec/dpx.c
> > @@ -606,6 +606,9 @@ static int decode_frame(AVCodecContext *avctx,
> >
> >      ff_set_sar(avctx, avctx->sample_aspect_ratio);
> >
> > +    if (buf_size - offset < (((uint64_t)elements * avctx->width *
> avctx->height * bits_per_color) >> 3))
> > +        return AVERROR_INVALIDDATA;
>
> looks reasonable, i did not check that this is exactly correct for all
> cases though
>

I think that there is already check for this, I just may be triggered
overreads while working on not finished code.


>
> thx
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The worst form of inequality is to try to make unequal things equal.
> -- Aristotle
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff mbox series

Patch

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index 5372e3d586..68a2762017 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -606,6 +606,9 @@  static int decode_frame(AVCodecContext *avctx,
 
     ff_set_sar(avctx, avctx->sample_aspect_ratio);
 
+    if (buf_size - offset < (((uint64_t)elements * avctx->width * avctx->height * bits_per_color) >> 3))
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
         return ret;