diff mbox

[FFmpeg-devel] pnm: limit maxval to UINT16_MAX

Message ID 41d7f03c-4ef2-76dd-86a5-c432553ebd6b@googlemail.com
State Accepted
Commit 484151df7c8f4fb45229b9b3a585efd3faa62501
Headers show

Commit Message

Andreas Cadhalpun Nov. 10, 2016, 7:54 p.m. UTC 
From 'man ppm': The maximum color value (Maxval), again in ASCII decimal.
                Must be less than 65536.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/pnm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Michael Niedermayer Nov. 11, 2016, 12:17 a.m. UTC | #1 
On Thu, Nov 10, 2016 at 08:54:37PM +0100, Andreas Cadhalpun wrote:
> From 'man ppm': The maximum color value (Maxval), again in ASCII decimal.
>                 Must be less than 65536.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> ---
>  libavcodec/pnm.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)

should be ok (unless someone extended this format to larger values)

[...]
Andreas Cadhalpun Nov. 12, 2016, 12:40 a.m. UTC | #2 
On 11.11.2016 01:17, Michael Niedermayer wrote:
> On Thu, Nov 10, 2016 at 08:54:37PM +0100, Andreas Cadhalpun wrote:
>> From 'man ppm': The maximum color value (Maxval), again in ASCII decimal.
>>                 Must be less than 65536.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> ---
>>  libavcodec/pnm.c | 5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> should be ok

Pushed.

> (unless someone extended this format to larger values)

In that case the code has to be changed anyway, as e.g. samplecpy
doesn't handle larger maxval correctly.

Best regards,
Andreas
diff mbox

Patch

diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c
index 1675959..4753923 100644
--- a/libavcodec/pnm.c
+++ b/libavcodec/pnm.c
@@ -107,7 +107,8 @@  int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
             }
         }
         /* check that all tags are present */
-        if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
+        if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' ||
+            av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
             return AVERROR_INVALIDDATA;
 
         avctx->width  = w;
@@ -159,7 +160,7 @@  int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
     if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) {
         pnm_get(s, buf1, sizeof(buf1));
         s->maxval = atoi(buf1);
-        if (s->maxval <= 0) {
+        if (s->maxval <= 0 || s->maxval > UINT16_MAX) {
             av_log(avctx, AV_LOG_ERROR, "Invalid maxval: %d\n", s->maxval);
             s->maxval = 255;
         }