diff options
author | Anton Khirnov <anton@khirnov.net> | 2016-08-14 10:18:39 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2016-08-18 17:06:46 +0200 |
commit | f5d46d332258dcd8ca623019ece1d5e5bb74142b (patch) | |
tree | 1a1f550f6a000b89b23887025f2d3ea8d74c6fbd /libavcodec | |
parent | 83b92a855e8e08bdec484e13ee5a7c8996224772 (diff) | |
download | ffmpeg-f5d46d332258dcd8ca623019ece1d5e5bb74142b.tar.gz |
vmnc: check that subrectangles fit into their containing rectangles
Fixes possible invalid writes with corrupted files.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/vmnc.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 3ef2134117..7a01f1e2e6 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -287,12 +287,24 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb, return AVERROR_INVALIDDATA; } for (k = 0; k < rects; k++) { + int rect_x, rect_y, rect_w, rect_h; if (color) fg = vmnc_get_pixel(gb, bpp, c->bigendian); xy = bytestream2_get_byte(gb); wh = bytestream2_get_byte(gb); - paint_rect(dst2, xy >> 4, xy & 0xF, - (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); + + rect_x = xy >> 4; + rect_y = xy & 0xF; + rect_w = (wh >> 4) + 1; + rect_h = (wh & 0xF) + 1; + + if (rect_x + rect_w > bw || rect_y + rect_h > bh) { + av_log(c->avctx, AV_LOG_ERROR, "Invalid subrect\n"); + return AVERROR_INVALIDDATA; + } + + paint_rect(dst2, rect_x, rect_y, + rect_w, rect_h, fg, bpp, stride); } } } |