Fixes CVE-2012-2798
---
libavcodec/dfa.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index c6f09c8..d464acb 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame,
int width, int height
bitbuf = bytestream2_get_le16u(gb);
mask = 1;
}
- if (frame_end - frame < 2)
- return AVERROR_INVALIDDATA;
+
if (bitbuf & mask) {
v = bytestream2_get_le16(gb);
offset = (v & 0x1FFF) << 2;
@@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame,
int width, int height
frame += 2;
}
} else if (bitbuf & (mask << 1)) {
- frame += bytestream2_get_le16(gb) * 2;
+ v = bytestream2_get_le16(gb)*2;
+ if (frame - frame_end < v)
+ return AVERROR_INVALIDDATA;
+ frame += v;
} else {
- if (frame_end - frame < width + 2)
+ if (frame_end - frame < width + 3)
return AVERROR_INVALIDDATA;
frame[0] = frame[1] =
frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
--
1.7.10.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
