diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-07-28 17:14:50 +0600 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-10-17 21:35:25 +0200 |
| commit | 3c55bf1201ac75c5e46b03e3e077031f755f85d0 (patch) | |
| tree | 3542fb6c8bdd4a9359870ea27194bff038864bf6 | |
| parent | dc5283dffcd41e8a41671d7566dfdd27c25e66bf (diff) | |
| download | ffmpeg-3c55bf1201ac75c5e46b03e3e077031f755f85d0.tar.gz | |
vc1dec: check that coded slice positions and interlacing match.
This fixes out of array writes.
Addresses: CVE-2012-2796
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
(cherry picked from commit 1100acbab26883007898c53efeb289f562c6e514)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/vc1dec.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 46cfdb0973..38b08a565b 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5710,6 +5710,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, mb_height = s->mb_height >> v->field_mode; for (i = 0; i <= n_slices; i++) { if (i > 0 && slices[i - 1].mby_start >= mb_height) { + if (v->field_mode <= 0) { + av_log(v->s.avctx, AV_LOG_ERROR, "Slice %d starts beyond " + "picture boundary (%d >= %d)\n", i, + slices[i - 1].mby_start, mb_height); + continue; + } v->second_field = 1; v->blocks_off = s->mb_width * s->mb_height << 1; v->mb_off = s->mb_stride * s->mb_height >> 1; |