From patchwork Mon Sep 5 08:22:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Carl Eugen Hoyos X-Patchwork-Id: 421 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.140.134 with SMTP id o128csp2610069vsd; Mon, 5 Sep 2016 01:22:32 -0700 (PDT) X-Received: by 10.28.73.212 with SMTP id w203mr4423625wma.43.1473063752636; Mon, 05 Sep 2016 01:22:32 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id g1si16313663wmc.33.2016.09.05.01.22.31; Mon, 05 Sep 2016 01:22:32 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CD41B689F3E; Mon, 5 Sep 2016 11:22:20 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ua0-f181.google.com (mail-ua0-f181.google.com [209.85.217.181]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AEE03689D73 for ; Mon, 5 Sep 2016 11:22:14 +0300 (EEST) Received: by mail-ua0-f181.google.com with SMTP id 31so20533425uao.0 for ; Mon, 05 Sep 2016 01:22:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=bV2d4U9IFAkui0po199uP2cfjboxaBBQtigU4HvXP4I=; b=0Bi4Qz06DFBoIJqGIs7fFDGhyVWxskhpczz69Ds62g2VbBcFVqfYAzm3qwdmpFkGTb PaPx8dbiPl4ggcIeva/JCWGLRToZvVFgcdOJyaNWEoWw4B0KI3/cNe6Qxei2pPlaJGz5 DWYW5rLAtoxEDs45kzyneo7E1KWRVx7/2GSqTpjrPAmq2SDQVnlntl8UMWYuTskiCnww QbCg3Rbqbzgg2SLIVTSQOx/kH6TLvkHmPOHABg0FI/X9/Q5aFqIyWZCtXF+iq9c9hl5d LP3pYhPSJ4b4vv0+nNvyJOMIEFA9BMNM8h8iLe8K5nNALx0yDtaDL23JWQYQ9jiKtVIt CKCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=bV2d4U9IFAkui0po199uP2cfjboxaBBQtigU4HvXP4I=; b=SPe8kJ1tv6VX3KWsllcfjY04L+dFrZ7fy7QuuPLZ6xMBX93xLAtRB+1AGCRhhUwzOK 3QFqBdvVoIwCLyxz9edvePViK9acEGMbXxxL2U9mpQo9jR2xuFSrd+2XcOvhizsmaQKc wrkNweRlGcQaV908T2tISnfX+hOB1UUgaHsjOn10gsUiBxMl9Rf21TaPeLicrMEaJqHI 5hnetmrZG9IiFUrichWfqnIaCfSKimlejchXgezqM2s8DuMOVchCuY4+eBT9kHuFZ3nL TQJZ17BnTr6uOShniKTBDJhbLAGaJ9T92wQXjeNu5yGkJePzVryHx7ljYNPHdiMgB6ms Cl1g== X-Gm-Message-State: AE9vXwNqDqK4dkAoZ8bpm/XZnPUw+eZsfXHQqR/f+qlwQ+LR8tDVGzZPwxPhPzZ34qmgE24J14LVRMiPLXBOmQ== X-Received: by 10.159.35.53 with SMTP id 50mr13205813uae.124.1473063742243; Mon, 05 Sep 2016 01:22:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.2.11 with HTTP; Mon, 5 Sep 2016 01:22:20 -0700 (PDT) In-Reply-To: <20160905072102.GZ4692@nb4> References: <201609042058.44816.cehoyos@ag.or.at> <20160905072102.GZ4692@nb4> From: Carl Eugen Hoyos Date: Mon, 5 Sep 2016 10:22:20 +0200 Message-ID: To: FFmpeg development discussions and patches Subject: Re: [FFmpeg-devel] [PATCH]lavc/pnmdec: Do not fail by default for truncated pbm files X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" 2016-09-05 9:21 GMT+02:00 Michael Niedermayer : > On Sun, Sep 04, 2016 at 08:58:44PM +0200, Carl Eugen Hoyos wrote: >> @@ -159,6 +163,8 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, >> } >> }else{ >> for (i = 0; i < avctx->height; i++) { >> + if (s->bytestream + n > s->bytestream_end) >> + continue; > > having a pointer point outside of 0..array length is undefined > behaviour (and can overflow in principle) New patch attached. Thank you, Carl Eugen From af00c56b38b28e07bbba46031472da41300a8cf1 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 4 Sep 2016 20:52:28 +0200 Subject: [PATCH] lavc/pnmdec: Do not fail by default for truncated pbm files. Fixes ticket #5795. --- libavcodec/pnmdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index d4261a4..0b7a0f6 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -124,8 +124,12 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, do_read: ptr = p->data[0]; linesize = p->linesize[0]; - if (n * avctx->height > s->bytestream_end - s->bytestream) - return AVERROR_INVALIDDATA; + if (n * avctx->height > s->bytestream_end - s->bytestream) { + av_log(avctx, AV_LOG_ERROR, + "Invalid truncated file\n"); + if (avctx->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + } if(s->type < 4 || (is_mono && s->type==7)){ for (i=0; iheight; i++) { PutBitContext pb; @@ -159,6 +163,8 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } }else{ for (i = 0; i < avctx->height; i++) { + if (s->bytestream > s->bytestream_end - n) + continue; if (!upgrade) samplecpy(ptr, s->bytestream, n, s->maxval); else if (upgrade == 1) { -- 1.7.10.4