From d05f72c75445969cd7bdb1d860635c9880c67fb6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 13:25:28 +0200 Subject: [PATCH] dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:libav-stable@libav.org --- libavcodec/dfa.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index c6f09c89a7..d464acb187 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (frame_end - frame < 2) - return AVERROR_INVALIDDATA; + if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; @@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream2_get_le16(gb) * 2; + v = bytestream2_get_le16(gb)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb);