[libav-commits] vmnc: check that subrectangles fit into their containing rectangles

Thu, 18 Aug 2016 23:56:33 -0700 

Module: libav
Branch: release/12
Commit: 7471cf1a95b044b1af01571dc1c6a1fa34e74588

Author:    Anton Khirnov <an...@khirnov.net>
Committer: Anton Khirnov <an...@khirnov.net>
Date:      Sun Aug 14 10:18:39 2016 +0200

vmnc: check that subrectangles fit into their containing rectangles

Fixes possible invalid writes with corrupted files.

CC: libav-sta...@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit f5d46d332258dcd8ca623019ece1d5e5bb74142b)
Signed-off-by: Anton Khirnov <an...@khirnov.net>

---

 libavcodec/vmnc.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index 3ef2134..7a01f1e 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -287,12 +287,24 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, 
GetByteContext *gb,
                     return AVERROR_INVALIDDATA;
                 }
                 for (k = 0; k < rects; k++) {
+                    int rect_x, rect_y, rect_w, rect_h;
                     if (color)
                         fg = vmnc_get_pixel(gb, bpp, c->bigendian);
                     xy = bytestream2_get_byte(gb);
                     wh = bytestream2_get_byte(gb);
-                    paint_rect(dst2, xy >> 4, xy & 0xF,
-                               (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
+
+                    rect_x = xy >> 4;
+                    rect_y = xy & 0xF;
+                    rect_w = (wh >> 4) + 1;
+                    rect_h = (wh & 0xF) + 1;
+
+                    if (rect_x + rect_w > bw || rect_y + rect_h > bh) {
+                        av_log(c->avctx, AV_LOG_ERROR, "Invalid subrect\n");
+                        return AVERROR_INVALIDDATA;
+                    }
+
+                    paint_rect(dst2, rect_x, rect_y,
+                               rect_w, rect_h, fg, bpp, stride);
                 }
             }
         }

_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits

Reply via email to