Module: libav Branch: release/0.8 Commit: fee261dbfdc88d0c4f847ecba174b9ec74eaae6c
Author: Diego Biurrun <di...@biurrun.de> Committer: Diego Biurrun <di...@biurrun.de> Date: Fri Aug 11 19:15:20 2017 +0200 dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not allowed in that case. Also ensure that the decode buffer is big enough for all blocks being processed. Bug-Id: CVE-2017-9992 CC: libav-sta...@libav.org (cherry picked from commit d34a133b78afe2793cd8537f3c7f42437f441e94) Signed-off-by: Diego Biurrun <di...@biurrun.de> --- libavcodec/dfa.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index d9ff445..813cc03 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -146,6 +146,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height int mask = 0x10000, bitbuf = 0; int i, v, offset, count, segments; + if ((width | height) & 1) + return AVERROR_INVALIDDATA; segments = bytestream2_get_le16(gb); while (segments--) { if (bytestream2_get_bytes_left(gb) < 2) @@ -173,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (width < 4 || frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); _______________________________________________ libav-commits mailing list libav-commits@libav.org https://lists.libav.org/mailman/listinfo/libav-commits