1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

mlvdec: validate bits_per_coded_sample

A negative bits_per_coded_sample doesn't make sense.
If it is too large, the size calculation for av_get_packet overflows,
resulting in allocation of a too small buffer.

Also make sure width and height are sane.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
Andreas Cadhalpun 2015-12-19 23:45:00 +01:00
parent 5dbd114b83
commit 7172175da6

View File

@ -25,6 +25,7 @@
*/
#include "libavutil/eval.h"
#include "libavutil/imgutils.h"
#include "libavutil/intreadwrite.h"
#include "libavutil/rational.h"
#include "avformat.h"
@ -131,10 +132,21 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f
if (vst && type == MKTAG('R','A','W','I') && size >= 164) {
vst->codec->width = avio_rl16(pb);
vst->codec->height = avio_rl16(pb);
ret = av_image_check_size(vst->codec->width, vst->codec->height, 0, avctx);
if (ret < 0)
return ret;
if (avio_rl32(pb) != 1)
avpriv_request_sample(avctx, "raw api version");
avio_skip(pb, 20); // pointer, width, height, pitch, frame_size
vst->codec->bits_per_coded_sample = avio_rl32(pb);
if (vst->codec->bits_per_coded_sample < 0 ||
vst->codec->bits_per_coded_sample > (INT_MAX - 7) / (vst->codec->width * vst->codec->height)) {
av_log(avctx, AV_LOG_ERROR,
"invalid bits_per_coded_sample %d (size: %dx%d)\n",
vst->codec->bits_per_coded_sample,
vst->codec->width, vst->codec->height);
return AVERROR_INVALIDDATA;
}
avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias
if (avio_rl32(pb) != 0x2010100) /* RGGB */
avpriv_request_sample(avctx, "cfa_pattern");