[libav-devel] [PATCH 2/2] vmdvideo: Prevent writing over the frame buffer

Luca Barbato Mon, 19 Jan 2015 05:07:28 -0800

Bug-Id: CVE-2014-9603
CC: [email protected]
---
 libavcodec/vmdvideo.c | 6 ++++++
 1 file changed, 6 insertions(+)


diff --git a/libavcodec/vmdvideo.c b/libavcodec/vmdvideo.c
index 4a14ef0..caf4f38 100644
--- a/libavcodec/vmdvideo.c
+++ b/libavcodec/vmdvideo.c
@@ -245,6 +245,12 @@ static int rle_region(VmdVideoContext *s, GetByteContext 
*gb,
             len = bytestream2_get_byte(gb);
             if (len & 0x80) {
                 len = (len & 0x7F) + 1;
+                if (ofs + len > frame_width) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                       "offset > width (%d > %d)\n",
+                       ofs, frame_width);
+                    return AVERROR_INVALIDDATA;
+                }
                 if (bytestream2_peek_byte(gb) == 0xFF) {
                     int slen = len;
                     bytestream2_get_byte(gb);
-- 
1.9.0

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 2/2] vmdvideo: Prevent writing over the frame buffer

Reply via email to