Module: libav Branch: release/0.7 Commit: 604d72aa0d050a95aefdc15fc57743415af8283b
Author: Anton Khirnov <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Sat Sep 29 13:25:28 2012 +0200 dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:[email protected] (cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6) Conflicts: libavcodec/dfa.c --- libavcodec/dfa.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index eeb96cf..9c80b3c 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -159,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height, bitbuf = bytestream_get_le16(&src); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) - return -1; + if (bitbuf & mask) { v = bytestream_get_le16(&src); offset = (v & 0x1FFF) << 2; @@ -174,9 +173,12 @@ static int decode_dds1(uint8_t *frame, int width, int height, frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src) * 2; + v = bytestream_get_le16(&src)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
