diff options
| author | James Almer <jamrial@gmail.com> | 2017-11-11 00:54:19 -0300 |
|---|---|---|
| committer | James Almer <jamrial@gmail.com> | 2017-11-11 00:54:19 -0300 |
| commit | ecf4e6b7205f6021fbdcf3d419733edae28d8bdd (patch) | |
| tree | 21b8e73ff4e281b50e34c6fed80204e37cc60ec7 | |
| parent | e6d70494ce03760c6700c50380f4455c41919661 (diff) | |
| parent | d34a133b78afe2793cd8537f3c7f42437f441e94 (diff) | |
| download | ffmpeg-ecf4e6b7205f6021fbdcf3d419733edae28d8bdd.tar.gz | |
Merge commit 'd34a133b78afe2793cd8537f3c7f42437f441e94'
* commit 'd34a133b78afe2793cd8537f3c7f42437f441e94':
dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks
Merged-by: James Almer <jamrial@gmail.com>
| -rw-r--r-- | libavcodec/dfa.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 43dba2c8e9..536040d65c 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -149,6 +149,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; + if ((width | height) & 1) + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) @@ -176,7 +178,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 4) + if (width < 4 || frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); |