ffmpeg | branch: master | James Almer <jamr...@gmail.com> | Sat Nov 11 00:54:19 2017 -0300| [ecf4e6b7205f6021fbdcf3d419733edae28d8bdd] | committer: James Almer
Merge commit 'd34a133b78afe2793cd8537f3c7f42437f441e94' * commit 'd34a133b78afe2793cd8537f3c7f42437f441e94': dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks Merged-by: James Almer <jamr...@gmail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ecf4e6b7205f6021fbdcf3d419733edae28d8bdd --- libavcodec/dfa.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 43dba2c8e9..536040d65c 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -149,6 +149,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; + if ((width | height) & 1) + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) @@ -176,7 +178,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 4) + if (width < 4 || frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); ====================================================================== _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog