RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-02-08 23:58:51 +00:00
Code Issues Projects Releases Wiki Activity

dfa: improve boundary checks in decode_dds1()

Browse Source 
Fixes CVE-2012-2798

CC:libav-stable@libav.org
(cherry picked from commit d05f72c754)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Anton Khirnov 2012-09-29 13:25:28 +02:00 committed by Reinhard Tartler
parent d0267ecf76
commit 0c19855539
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/dfa.c
View File

@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
bitbuf = bytestream2_get_le16u(gb); bitbuf = bytestream2_get_le16u(gb);
mask = 1; mask = 1;
} }
if (frame_end - frame < 2)
return AVERROR_INVALIDDATA;
if (bitbuf & mask) { if (bitbuf & mask) {
v = bytestream2_get_le16(gb); v = bytestream2_get_le16(gb);
offset = (v & 0x1FFF) << 2; offset = (v & 0x1FFF) << 2;
@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
frame += 2; frame += 2;
} }
} else if (bitbuf & (mask << 1)) { } else if (bitbuf & (mask << 1)) {
frame += bytestream2_get_le16(gb) * 2; v = bytestream2_get_le16(gb)*2;
if (frame - frame_end < v)
return AVERROR_INVALIDDATA;
frame += v;
} else { } else {
if (frame_end - frame < width + 2) if (frame_end - frame < width + 3)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
frame[0] = frame[1] = frame[0] = frame[1] =
frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame[width] = frame[width + 1] = bytestream2_get_byte(gb);