diff options
| author | Anton Khirnov <anton@khirnov.net> | 2012-09-29 13:25:28 +0200 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2013-02-02 09:54:16 +0100 |
| commit | 604d72aa0d050a95aefdc15fc57743415af8283b (patch) | |
| tree | 4301c1df69955ec54674883dc21be2039ba399bf | |
| parent | 03ddc260668beaf62f6f7fe64a08b5a71be5bb27 (diff) | |
| download | ffmpeg-604d72aa0d050a95aefdc15fc57743415af8283b.tar.gz | |
dfa: improve boundary checks in decode_dds1()
Fixes CVE-2012-2798
CC:libav-stable@libav.org
(cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6)
Conflicts:
libavcodec/dfa.c
| -rw-r--r-- | libavcodec/dfa.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index eeb96cf7b1..9c80b3c4e8 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -159,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height, bitbuf = bytestream_get_le16(&src); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) - return -1; + if (bitbuf & mask) { v = bytestream_get_le16(&src); offset = (v & 0x1FFF) << 2; @@ -174,9 +173,12 @@ static int decode_dds1(uint8_t *frame, int width, int height, frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src) * 2; + v = bytestream_get_le16(&src)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; |