2016-09-05 9:21 GMT+02:00 Michael Niedermayer <[email protected]>:
> On Sun, Sep 04, 2016 at 08:58:44PM +0200, Carl Eugen Hoyos wrote:
>> @@ -159,6 +163,8 @@ static int pnm_decode_frame(AVCodecContext *avctx, void
>> *data,
>> }
>> }else{
>> for (i = 0; i < avctx->height; i++) {
>> + if (s->bytestream + n > s->bytestream_end)
>> + continue;
>
> having a pointer point outside of 0..array length is undefined
> behaviour (and can overflow in principle)
New patch attached.
Thank you, Carl Eugen
From af00c56b38b28e07bbba46031472da41300a8cf1 Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <[email protected]>
Date: Sun, 4 Sep 2016 20:52:28 +0200
Subject: [PATCH] lavc/pnmdec: Do not fail by default for truncated pbm
files.
Fixes ticket #5795.
---
libavcodec/pnmdec.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
index d4261a4..0b7a0f6 100644
--- a/libavcodec/pnmdec.c
+++ b/libavcodec/pnmdec.c
@@ -124,8 +124,12 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
do_read:
ptr = p->data[0];
linesize = p->linesize[0];
- if (n * avctx->height > s->bytestream_end - s->bytestream)
- return AVERROR_INVALIDDATA;
+ if (n * avctx->height > s->bytestream_end - s->bytestream) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Invalid truncated file\n");
+ if (avctx->strict_std_compliance >= FF_COMPLIANCE_STRICT)
+ return AVERROR_INVALIDDATA;
+ }
if(s->type < 4 || (is_mono && s->type==7)){
for (i=0; i<avctx->height; i++) {
PutBitContext pb;
@@ -159,6 +163,8 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data,
}
}else{
for (i = 0; i < avctx->height; i++) {
+ if (s->bytestream > s->bytestream_end - n)
+ continue;
if (!upgrade)
samplecpy(ptr, s->bytestream, n, s->maxval);
else if (upgrade == 1) {
--
1.7.10.4
_______________________________________________
ffmpeg-devel mailing list
[email protected]
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
