ffmpeg | branch: release/0.10 | Michael Niedermayer <michae...@gmx.at> | Sun Aug 3 19:24:18 2014 +0100| [e17dc0a254ac8d3c33887a114a66e2b659ba0bc5] | committer: Anton Khirnov
mmvideo: check horizontal coordinate too Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giov...@gmail.com> Signed-off-by: Anton Khirnov <an...@khirnov.net> (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov <an...@khirnov.net> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e17dc0a254ac8d3c33887a114a66e2b659ba0bc5 --- libavcodec/mmvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 501371a..660cebc 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -151,6 +151,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; + if (x + half_horiz >= s->avctx->width) + return AVERROR_INVALIDDATA; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame.data[0][y*s->frame.linesize[0] + x] = color; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
