Being CDG_HEADER_SIZE bigger than CDG_MINIMUM_PKT_SIZE, this patch fixes out one out of bound array access.
CC: [email protected] Bug-Id: CVE-2013-3674 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- I reworked the patch, expanding the initial sanity check. Comments welcome. Vittorio libavcodec/cdgraphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index b8a6fb8..ad68e10 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -269,7 +269,7 @@ static int cdg_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; CDGraphicsContext *cc = avctx->priv_data; - if (buf_size < CDG_MINIMUM_PKT_SIZE) { + if (buf_size <= CDG_HEADER_SIZE) { av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); return AVERROR(EINVAL); } -- 1.8.5.2 (Apple Git-48) _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
