Bug-Id: CVE-2014-9603
CC: [email protected]
---
Not sure if would be better to return like this or just write till the
end of the buffer and return the corrupted frame.
libavcodec/vmdvideo.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/vmdvideo.c b/libavcodec/vmdvideo.c
index 4a14ef0..caf4f38 100644
--- a/libavcodec/vmdvideo.c
+++ b/libavcodec/vmdvideo.c
@@ -245,6 +245,12 @@ static int rle_region(VmdVideoContext *s, GetByteContext
*gb,
len = bytestream2_get_byte(gb);
if (len & 0x80) {
len = (len & 0x7F) + 1;
+ if (ofs + len > frame_width) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "offset > width (%d > %d)\n",
+ ofs, frame_width);
+ return AVERROR_INVALIDDATA;
+ }
if (bytestream2_peek_byte(gb) == 0xFF) {
int slen = len;
bytestream2_get_byte(gb);
--
1.9.0
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
