aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-02-16 21:12:08 +0100
committerMichael Niedermayer <michaelni@gmx.at>2014-02-16 21:13:02 +0100
commita392bf657015c9a79a5a13adfbfb15086c1943b9 (patch)
treee9e8ecca777f0554704a76a585d0c72f34af686b
parent573a8ce8f94f1b614bde6bbdf34f7ef88dabc076 (diff)
downloadffmpeg-a392bf657015c9a79a5a13adfbfb15086c1943b9.tar.gz
avcodec/dxtory: fix src size checks
Fixes integer overflow Fixes out of array read Fixes: d104661bb59b202df7671fb19a00ca6c-asan_heap-oob_d6429d_5066_cov_1729501105_dxtory_mic.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/dxtory.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index 8235481712..afadcbb683 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -37,7 +37,7 @@ static int dxtory_decode_v1_rgb(AVCodecContext *avctx, AVFrame *pic,
uint8_t *dst;
int ret;
- if (src_size < avctx->width * avctx->height * bpp) {
+ if (src_size < avctx->width * avctx->height * (int64_t)bpp) {
av_log(avctx, AV_LOG_ERROR, "packet too small\n");
return AVERROR_INVALIDDATA;
}
@@ -63,7 +63,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic,
uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V;
int ret;
- if (src_size < avctx->width * avctx->height * 18 / 16) {
+ if (src_size < avctx->width * avctx->height * 9L / 8) {
av_log(avctx, AV_LOG_ERROR, "packet too small\n");
return AVERROR_INVALIDDATA;
}
@@ -106,7 +106,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic,
uint8_t *Y1, *Y2, *U, *V;
int ret;
- if (src_size < avctx->width * avctx->height * 3 / 2) {
+ if (src_size < avctx->width * avctx->height * 3L / 2) {
av_log(avctx, AV_LOG_ERROR, "packet too small\n");
return AVERROR_INVALIDDATA;
}
@@ -143,7 +143,7 @@ static int dxtory_decode_v1_444(AVCodecContext *avctx, AVFrame *pic,
uint8_t *Y, *U, *V;
int ret;
- if (src_size < avctx->width * avctx->height * 3) {
+ if (src_size < avctx->width * avctx->height * 3L) {
av_log(avctx, AV_LOG_ERROR, "packet too small\n");
return AVERROR_INVALIDDATA;
}