ffmpeg | branch: release/2.4 | Michael Niedermayer <michae...@gmx.at> | Wed Mar 4 17:36:14 2015 +0000| [3a417a86b330b7c1acf9db4f729be7d619caaded] | committer: Luca Barbato
utvideodec: Handle slice_height being zero Fixes out of array accesses. CC: libav-sta...@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-9604 Signed-off-by: Vittorio Giovara <vittorio.giov...@gmail.com> Signed-off-by: Luca Barbato <lu_z...@gentoo.org> (cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d) > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a417a86b330b7c1acf9db4f729be7d619caaded --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 7d75c59..bb8c7aa 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -213,6 +213,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; @@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
