highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

icodec: correctly check avio_read return value

Browse Source 
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
Andreas Cadhalpun 2016-11-08 23:29:28 +01:00
parent 8a56b31e7c
commit 71fa32bbb7
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavformat/icodec.c
View File

@ -83,6 +83,10 @@ static int read_header(AVFormatContext *s)
avio_skip(pb, 5); avio_skip(pb, 5);
ico->images[i].size = avio_rl32(pb); ico->images[i].size = avio_rl32(pb);
if (ico->images[i].size <= 0) {
av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size);
return AVERROR_INVALIDDATA;
}
ico->images[i].offset = avio_rl32(pb); ico->images[i].offset = avio_rl32(pb);
if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0)
@ -148,9 +152,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
bytestream_put_le16(&buf, 0); bytestream_put_le16(&buf, 0);
bytestream_put_le32(&buf, 0); bytestream_put_le32(&buf, 0);
if ((ret = avio_read(pb, buf, image->size)) < 0) { if ((ret = avio_read(pb, buf, image->size)) != image->size) {
av_packet_unref(pkt); av_packet_unref(pkt);
return ret; return ret < 0 ? ret : AVERROR_INVALIDDATA;
} }
st->codec->bits_per_coded_sample = AV_RL16(buf + 14); st->codec->bits_per_coded_sample = AV_RL16(buf + 14);