mxfdec: Fix a potential DoS vector in mxf_read_pixel_layout()

There's a a potential DoS problem in this function. Say an MXF file is created with a PixelLayout with a long run of non-zeroes. Such a file could be sent quickly (packed) over the net and would unpack quite fast. mxfdec would then read it byte-by-byte, which would take considerable time. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

mxfdec: Fix a potential DoS vector in mxf_read_pixel_layout()
There's a a potential DoS problem in this function. Say an MXF file is created with a PixelLayout with a long run of non-zeroes. Such a file could be sent quickly (packed) over the net and would unpack quite fast. mxfdec would then read it byte-by-byte, which would take considerable time. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
1d22d269 · Tomas Härdin · Michael Niedermayer · 187630b2 · 1d22d269
Commit 1d22d269 authored Oct 24, 2012 by Tomas Härdin Committed by Michael Niedermayer Oct 24, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

mxfdec.c libavformat/mxfdec.c +2 -1

No files found.
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -792,7 +792,8 @@ static void mxf_read_pixel_layout(AVIOContext *pb, MXFDescriptor *descriptor)
        if (ofs <= 14) {
            layout[ofs++] = code;
            layout[ofs++] = value;
-        }
+        } else
+            break;  /* don't read byte by byte on sneaky files filled with lots of non-zeroes */
    } while (code != 0); /* SMPTE 377M E.2.46 */

    ff_mxf_decode_pixel_layout(layout, &descriptor->pix_fmt);