aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorAnton Khirnov <anton@khirnov.net>2016-08-14 10:18:39 +0200
committerAnton Khirnov <anton@khirnov.net>2016-08-18 17:06:46 +0200
commitf5d46d332258dcd8ca623019ece1d5e5bb74142b (patch)
tree1a1f550f6a000b89b23887025f2d3ea8d74c6fbd /libavcodec
parent83b92a855e8e08bdec484e13ee5a7c8996224772 (diff)
downloadffmpeg-f5d46d332258dcd8ca623019ece1d5e5bb74142b.tar.gz
vmnc: check that subrectangles fit into their containing rectangles
Fixes possible invalid writes with corrupted files. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/vmnc.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index 3ef2134117..7a01f1e2e6 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -287,12 +287,24 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb,
return AVERROR_INVALIDDATA;
}
for (k = 0; k < rects; k++) {
+ int rect_x, rect_y, rect_w, rect_h;
if (color)
fg = vmnc_get_pixel(gb, bpp, c->bigendian);
xy = bytestream2_get_byte(gb);
wh = bytestream2_get_byte(gb);
- paint_rect(dst2, xy >> 4, xy & 0xF,
- (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
+
+ rect_x = xy >> 4;
+ rect_y = xy & 0xF;
+ rect_w = (wh >> 4) + 1;
+ rect_h = (wh & 0xF) + 1;
+
+ if (rect_x + rect_w > bw || rect_y + rect_h > bh) {
+ av_log(c->avctx, AV_LOG_ERROR, "Invalid subrect\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ paint_rect(dst2, rect_x, rect_y,
+ rect_w, rect_h, fg, bpp, stride);
}
}
}