X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fmlvdec.c;h=c003eab64e3b339f77801934cc19b775c660e422;hb=1fec347ef56bc3f501ffdfe0d253e768666aac7f;hp=48a429eb23afb64bf05579d1854025708ff7a8f8;hpb=c6f1f334cbc50b1821b92afaee13abcd3502b34a;p=ffmpeg diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 48a429eb23a..c003eab64e3 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -25,6 +25,7 @@ */ #include "libavutil/eval.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "libavutil/rational.h" #include "avformat.h" @@ -131,10 +132,21 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f if (vst && type == MKTAG('R','A','W','I') && size >= 164) { vst->codec->width = avio_rl16(pb); vst->codec->height = avio_rl16(pb); + ret = av_image_check_size(vst->codec->width, vst->codec->height, 0, avctx); + if (ret < 0) + return ret; if (avio_rl32(pb) != 1) avpriv_request_sample(avctx, "raw api version"); avio_skip(pb, 20); // pointer, width, height, pitch, frame_size vst->codec->bits_per_coded_sample = avio_rl32(pb); + if (vst->codec->bits_per_coded_sample < 0 || + vst->codec->bits_per_coded_sample > (INT_MAX - 7) / (vst->codec->width * vst->codec->height)) { + av_log(avctx, AV_LOG_ERROR, + "invalid bits_per_coded_sample %d (size: %dx%d)\n", + vst->codec->bits_per_coded_sample, + vst->codec->width, vst->codec->height); + return AVERROR_INVALIDDATA; + } avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias if (avio_rl32(pb) != 0x2010100) /* RGGB */ avpriv_request_sample(avctx, "cfa_pattern"); @@ -365,6 +377,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst)