Re: [libav-devel] [PATCH 2/2] dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks

[Luca Barbato]

On 11/08/2017 20:28, Diego Biurrun wrote:
> DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not
> allowed in that case. Also ensure that the decode buffer is big enough
> for all blocks being processed.
> 
> Bug-Id: CVE-2017-9992
> CC: libav-sta...@libav.org
> ---
>  libavcodec/dfa.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 

Ok.

___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 2/2] dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks

[Diego Biurrun]

DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not
allowed in that case. Also ensure that the decode buffer is big enough
for all blocks being processed.

Bug-Id: CVE-2017-9992
CC: libav-sta...@libav.org
---
 libavcodec/dfa.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 2654118fad..1682eb08cd 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, 
int width, int height
 int mask = 0x1, bitbuf = 0;
 int i, v, offset, count, segments;
 
+if ((width | height) & 1)
+return AVERROR_INVALIDDATA;
 segments = bytestream2_get_le16(gb);
 while (segments--) {
 if (bytestream2_get_bytes_left(gb) < 2)
@@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, 
int width, int height
 return AVERROR_INVALIDDATA;
 frame += v;
 } else {
-if (frame_end - frame < width + 3)
+if (width < 4 || frame_end - frame < width + 4)
 return AVERROR_INVALIDDATA;
 frame[0] = frame[1] =
 frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
-- 
2.11.0

___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel