aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2015-06-29 22:32:02 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2015-07-18 20:23:45 +0200
commitf775a92054a4aebbc4acc33795cb9203805e816a (patch)
tree61db4175d0f3ed40676d205d4f36869c78de4583
parentcccb06b09573a708a9ce03471db07af8dd47e712 (diff)
downloadandroid_external_ffmpeg-f775a92054a4aebbc4acc33795cb9203805e816a.tar.gz
android_external_ffmpeg-f775a92054a4aebbc4acc33795cb9203805e816a.tar.bz2
android_external_ffmpeg-f775a92054a4aebbc4acc33795cb9203805e816a.zip
avcodec/pngdec: Check values before updating context in decode_fctl_chunk()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b54ac8403bfea4e7fab0799ccfe728ba76959a38) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat
-rw-r--r--libavcodec/pngdec.c34
1 files changed, 21 insertions, 13 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 615aad394e..60c49758f1 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -815,6 +815,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
uint32_t length)
{
uint32_t sequence_number;
+ int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op;
if (length != 26)
return AVERROR_INVALIDDATA;
@@ -831,23 +832,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->last_dispose_op = s->dispose_op;
sequence_number = bytestream2_get_be32(&s->gb);
- s->cur_w = bytestream2_get_be32(&s->gb);
- s->cur_h = bytestream2_get_be32(&s->gb);
- s->x_offset = bytestream2_get_be32(&s->gb);
- s->y_offset = bytestream2_get_be32(&s->gb);
+ cur_w = bytestream2_get_be32(&s->gb);
+ cur_h = bytestream2_get_be32(&s->gb);
+ x_offset = bytestream2_get_be32(&s->gb);
+ y_offset = bytestream2_get_be32(&s->gb);
bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */
- s->dispose_op = bytestream2_get_byte(&s->gb);
- s->blend_op = bytestream2_get_byte(&s->gb);
+ dispose_op = bytestream2_get_byte(&s->gb);
+ blend_op = bytestream2_get_byte(&s->gb);
bytestream2_skip(&s->gb, 4); /* crc */
if (sequence_number == 0 &&
- (s->cur_w != s->width ||
- s->cur_h != s->height ||
- s->x_offset != 0 ||
- s->y_offset != 0) ||
- s->cur_w <= 0 || s->cur_h <= 0 ||
- s->x_offset < 0 || s->y_offset < 0 ||
- s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset)
+ (cur_w != s->width ||
+ cur_h != s->height ||
+ x_offset != 0 ||
+ y_offset != 0) ||
+ cur_w <= 0 || cur_h <= 0 ||
+ x_offset < 0 || y_offset < 0 ||
+ cur_w > s->width - x_offset|| cur_h > s->height - y_offset)
return AVERROR_INVALIDDATA;
if (sequence_number == 0 && s->dispose_op == APNG_DISPOSE_OP_PREVIOUS) {
@@ -868,6 +869,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->dispose_op = APNG_BLEND_OP_SOURCE;
}
+ s->cur_w = cur_w;
+ s->cur_h = cur_h;
+ s->x_offset = x_offset;
+ s->y_offset = y_offset;
+ s->dispose_op = dispose_op;
+ s->blend_op = blend_op;
+
return 0;
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-01 21:00:37 +0000