falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
Browse Source

avcodec/pngdec: Check values before updating context in decode_fctl_chunk() 

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
tags/n2.8
Michael Niedermayer 10 years ago
parent
f1ffa01dd3
commit
b54ac8403b
1 changed files with 21 additions and 13 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +21
    -13
      libavcodec/pngdec.c

+ 21
- 13
libavcodec/pngdec.c View File

@@ -815,6 +815,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
uint32_t length)
{
uint32_t sequence_number;
int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op;

if (length != 26)
return AVERROR_INVALIDDATA;
@@ -831,23 +832,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->last_dispose_op = s->dispose_op;

sequence_number = bytestream2_get_be32(&s->gb);
s->cur_w = bytestream2_get_be32(&s->gb);
s->cur_h = bytestream2_get_be32(&s->gb);
s->x_offset = bytestream2_get_be32(&s->gb);
s->y_offset = bytestream2_get_be32(&s->gb);
cur_w = bytestream2_get_be32(&s->gb);
cur_h = bytestream2_get_be32(&s->gb);
x_offset = bytestream2_get_be32(&s->gb);
y_offset = bytestream2_get_be32(&s->gb);
bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */
s->dispose_op = bytestream2_get_byte(&s->gb);
s->blend_op = bytestream2_get_byte(&s->gb);
dispose_op = bytestream2_get_byte(&s->gb);
blend_op = bytestream2_get_byte(&s->gb);
bytestream2_skip(&s->gb, 4); /* crc */

if (sequence_number == 0 &&
(s->cur_w != s->width ||
s->cur_h != s->height ||
s->x_offset != 0 ||
s->y_offset != 0) ||
s->cur_w <= 0 || s->cur_h <= 0 ||
s->x_offset < 0 || s->y_offset < 0 ||
s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset)
(cur_w != s->width ||
cur_h != s->height ||
x_offset != 0 ||
y_offset != 0) ||
cur_w <= 0 || cur_h <= 0 ||
x_offset < 0 || y_offset < 0 ||
cur_w > s->width - x_offset|| cur_h > s->height - y_offset)
return AVERROR_INVALIDDATA;

if (sequence_number == 0 && s->dispose_op == APNG_DISPOSE_OP_PREVIOUS) {
@@ -868,6 +869,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->dispose_op = APNG_BLEND_OP_SOURCE;
}

s->cur_w = cur_w;
s->cur_h = cur_h;
s->x_offset = x_offset;
s->y_offset = y_offset;
s->dispose_op = dispose_op;
s->blend_op = blend_op;

return 0;
}



Write Preview
Loading…
Cancel
Save