Module: libav
Branch: release/12
Commit: 0f08c77157167a10500c0992cf3829620d47f9ca
Author: Diego Biurrun <di...@biurrun.de>
Committer: Diego Biurrun <di...@biurrun.de>
Date: Fri Aug 11 19:15:20 2017 +0200
dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks
DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not
allowed in that case. Also ensure that the decode buffer is big enough
for all blocks being processed.
Bug-Id: CVE-2017-9992
CC: libav-sta...@libav.org
(cherry picked from commit d34a133b78afe2793cd8537f3c7f42437f441e94)
Signed-off-by: Diego Biurrun <di...@biurrun.de>
---
libavcodec/dfa.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 8021193..6362555 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame,
int width, int height
int mask = 0x10000, bitbuf = 0;
int i, v, offset, count, segments;
+ if ((width | height) & 1)
+ return AVERROR_INVALIDDATA;
segments = bytestream2_get_le16(gb);
while (segments--) {
if (bytestream2_get_bytes_left(gb) < 2)
@@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame,
int width, int height
return AVERROR_INVALIDDATA;
frame += v;
} else {
- if (frame_end - frame < width + 3)
+ if (width < 4 || frame_end - frame < width + 4)
return AVERROR_INVALIDDATA;
frame[0] = frame[1] =
frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits
