RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-02-02 04:43:27 +00:00
Code Issues Projects Releases Wiki Activity

avcodec/pngdec: Check values before updating context in decode_fctl_chunk()

Browse Source 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b54ac8403b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2015-06-29 22:32:02 +02:00 committed by Michael Niedermayer
parent 0628dfd994
commit 6a71e748b3
1 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
libavcodec/pngdec.c
View File

@ -809,6 +809,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
uint32_t length) uint32_t length)
{ {
uint32_t sequence_number; uint32_t sequence_number;
int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op;
if (length != 26) if (length != 26)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
@ -819,23 +820,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
} }
sequence_number = bytestream2_get_be32(&s->gb); sequence_number = bytestream2_get_be32(&s->gb);
s->cur_w = bytestream2_get_be32(&s->gb); cur_w = bytestream2_get_be32(&s->gb);
s->cur_h = bytestream2_get_be32(&s->gb); cur_h = bytestream2_get_be32(&s->gb);
s->x_offset = bytestream2_get_be32(&s->gb); x_offset = bytestream2_get_be32(&s->gb);
s->y_offset = bytestream2_get_be32(&s->gb); y_offset = bytestream2_get_be32(&s->gb);
bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */ bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */
s->dispose_op = bytestream2_get_byte(&s->gb); dispose_op = bytestream2_get_byte(&s->gb);
s->blend_op = bytestream2_get_byte(&s->gb); blend_op = bytestream2_get_byte(&s->gb);
bytestream2_skip(&s->gb, 4); /* crc */ bytestream2_skip(&s->gb, 4); /* crc */
if (sequence_number == 0 && if (sequence_number == 0 &&
(s->cur_w != s->width || (cur_w != s->width ||
s->cur_h != s->height || cur_h != s->height ||
s->x_offset != 0 || x_offset != 0 ||
s->y_offset != 0) || y_offset != 0) ||
s->cur_w <= 0 || s->cur_h <= 0 || cur_w <= 0 || cur_h <= 0 ||
s->x_offset < 0 || s->y_offset < 0 || x_offset < 0 || y_offset < 0 ||
s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset) cur_w > s->width - x_offset|| cur_h > s->height - y_offset)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
/* always (re)start with a clean frame */ /* always (re)start with a clean frame */
@ -849,6 +850,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->dispose_op = APNG_DISPOSE_OP_NONE; s->dispose_op = APNG_DISPOSE_OP_NONE;
} }
s->cur_w = cur_w;
s->cur_h = cur_h;
s->x_offset = x_offset;
s->y_offset = y_offset;
s->dispose_op = dispose_op;
s->blend_op = blend_op;
return 0; return 0;
} }