Module: libav
Branch: release/0.8
Commit: 335ec616cc38ee6206a3acebd46d01aad73d721b
Author: Michael Niedermayer <michae...@gmx.at>
Committer: Reinhard Tartler <siret...@tauware.de>
Date: Wed Mar 4 17:36:14 2015 +0000
utvideodec: Handle slice_height being zero
Fixes out of array accesses.
CC: libav-sta...@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Bug-Id: CVE-2014-9604
Signed-off-by: Vittorio Giovara <vittorio.giov...@gmail.com>
Signed-off-by: Luca Barbato <lu_z...@gentoo.org>
(cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d)
(cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded)
Signed-off-by: Reinhard Tartler <siret...@tauware.de>
(cherry picked from commit e032e647dd79e7748145792dfee0358eccb1982e)
Signed-off-by: Reinhard Tartler <siret...@tauware.de>
(cherry picked from commit 789f433bc6376e6e45d41ae491007d482fa1df85)
Conflicts:
libavcodec/utvideodec.c
---
libavcodec/utvideo.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/utvideo.c b/libavcodec/utvideo.c
index fdce255..b889ae9 100644
--- a/libavcodec/utvideo.c
+++ b/libavcodec/utvideo.c
@@ -246,6 +246,8 @@ static void restore_median(uint8_t *src, int step, int
stride,
for (slice = 0; slice < slices; slice++) {
slice_start = ((slice * height) / slices) & cmask;
slice_height = ((((slice + 1) * height) / slices) & cmask) -
slice_start;
+ if (!slice_height)
+ continue;
bsrc = src + slice_start * stride;
@@ -301,6 +303,8 @@ static void restore_median_il(uint8_t *src, int step, int
stride,
slice_start = ((slice * height) / slices) & cmask;
slice_height = ((((slice + 1) * height) / slices) & cmask) -
slice_start;
slice_height >>= 1;
+ if (!slice_height)
+ continue;
bsrc = src + slice_start * stride;
_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits
