From a392bf657015c9a79a5a13adfbfb15086c1943b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2014 21:12:08 +0100 Subject: [PATCH] avcodec/dxtory: fix src size checks Fixes integer overflow Fixes out of array read Fixes: d104661bb59b202df7671fb19a00ca6c-asan_heap-oob_d6429d_5066_cov_1729501105_dxtory_mic.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 8235481712..afadcbb683 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -37,7 +37,7 @@ static int dxtory_decode_v1_rgb(AVCodecContext *avctx, AVFrame *pic, uint8_t *dst; int ret; - if (src_size < avctx->width * avctx->height * bpp) { + if (src_size < avctx->width * avctx->height * (int64_t)bpp) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -63,7 +63,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 18 / 16) { + if (src_size < avctx->width * avctx->height * 9L / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -106,7 +106,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3 / 2) { + if (src_size < avctx->width * avctx->height * 3L / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -143,7 +143,7 @@ static int dxtory_decode_v1_444(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3) { + if (src_size < avctx->width * avctx->height * 3L) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; }