From: Michael Niedermayer <[email protected]> Fixes out of array accesses.
Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <[email protected]> --- libavcodec/mmvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index abec2e8..d80c832 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -154,6 +154,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; + if (x + half_horiz >= s->avctx->width) + return AVERROR_INVALIDDATA; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame->data[0][y*s->frame->linesize[0] + x] = color; -- 1.8.5.2 (Apple Git-48) _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
