From patchwork Thu Nov 10 19:54:37 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Patchwork-Id: 1375
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.90.1 with SMTP id o1csp1032345vsb;
	Thu, 10 Nov 2016 11:54:53 -0800 (PST)
X-Received: by 10.28.96.4 with SMTP id u4mr29473385wmb.86.1478807693718;
	Thu, 10 Nov 2016 11:54:53 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	hu9si6861304wjb.230.2016.11.10.11.54.53;
	Thu, 10 Nov 2016 11:54:53 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@googlemail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0675C689E44;
	Thu, 10 Nov 2016 21:54:48 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com
	[74.125.82.68])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 679A5689E0B
	for <ffmpeg-devel@ffmpeg.org>; Thu, 10 Nov 2016 21:54:41 +0200 (EET)
Received: by mail-wm0-f68.google.com with SMTP id m203so3533446wma.3
	for <ffmpeg-devel@ffmpeg.org>; Thu, 10 Nov 2016 11:54:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=from:to:subject:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=Qu7IcZdjWPB+Nxm7dhjKjcQIiaQfPK4rp+eaJlMo7vs=;
	b=MzWx1wWfWy4Esa+clEI6bKIxXxuhIxZxYZxo6dyw21OlaMCjlGXlHWCXoUKixdJ9FN
	brxryWth53ryKHxGdjYNuUhN5jvVuP/RDYUl1d1fTq2oGWksh8jn350dxof2fVcr+tTU
	IG54fhPPr7RCR8PJy+mhJbSWv5Jx3LJdf3LEhsVMSy1BveDH2/S0bFdKwDk3A66FGZ11
	9ilUyvKP17n1QW04a00+GEyUhNa2aYSDr4D8BlIWsCpxfYa9WGjJbJQFBMYafpoEivjA
	+c3IU0YMQQ7Q19073VSK1JR3BAWBTB3xg67xvjzUNBesa2rwwxEuk9Yuc7BO+IVMCaYs
	8mpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=Qu7IcZdjWPB+Nxm7dhjKjcQIiaQfPK4rp+eaJlMo7vs=;
	b=b2EgBlbG0g8bJELkJM9MwclTLrOAH+VoAGdJIQk9dz5m3ZOu1vLjmgAgzC4f+/g6ST
	o/YM9SdknHw4lr26WGUWKtKki1lziy/Q11zKRHvtEtp8P4h+TvZKaS3ZUrPe6IXMN7yv
	RJxlxyW5RYFXkCymzhDk4vpj5ZD/DC1ju3/RqZ5WXLuV1T9vQKQ+wcj1wegOD8dTeNnW
	4+Vh1Jn+WjfDvKUe0OjqlyzaBJpJQLzLlp+3cp6x9k0P7TSp4R2DvGbnc9XSiONqmfJU
	Ne6PTvTCXYTKBHZ0XJKJFZg1R5/DYHN/AwDeQHeKAI9jIwXh2o5PRFNOkVyOehgFVNsd
	SzTQ==
X-Gm-Message-State: 
 ABUngvdZkIwzrHi6aKxEqzU30mCRrBgVVX8Z5vP58g3pal6WyNovbaeqlUA7ydQQYNK4Hw==
X-Received: by 10.194.120.38 with SMTP id kz6mr5870099wjb.177.1478807684456;
	Thu, 10 Nov 2016 11:54:44 -0800 (PST)
Received: from [192.168.2.21] (pD9E8ED50.dip0.t-ipconnect.de.
	[217.232.237.80]) by smtp.googlemail.com with ESMTPSA id
	ia7sm7231106wjb.23.2016.11.10.11.54.43
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 10 Nov 2016 11:54:43 -0800 (PST)
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Google-Original-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <41d7f03c-4ef2-76dd-86a5-c432553ebd6b@googlemail.com>
Date: Thu, 10 Nov 2016 20:54:37 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Icedove/45.4.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] pnm: limit maxval to UINT16_MAX
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

From 'man ppm': The maximum color value (Maxval), again in ASCII decimal.
                Must be less than 65536.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/pnm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c
index 1675959..4753923 100644
--- a/libavcodec/pnm.c
+++ b/libavcodec/pnm.c
@@ -107,7 +107,8 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
             }
         }
         /* check that all tags are present */
-        if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
+        if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' ||
+            av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
             return AVERROR_INVALIDDATA;
 
         avctx->width  = w;
@@ -159,7 +160,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
     if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) {
         pnm_get(s, buf1, sizeof(buf1));
         s->maxval = atoi(buf1);
-        if (s->maxval <= 0) {
+        if (s->maxval <= 0 || s->maxval > UINT16_MAX) {
             av_log(avctx, AV_LOG_ERROR, "Invalid maxval: %d\n", s->maxval);
             s->maxval = 255;
         }