On Sat, Sep 29, 2012 at 02:04:57PM +0200, Anton Khirnov wrote:
> Fixes CVE-2012-2798
> ---
> libavcodec/dfa.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
> index c6f09c8..d464acb 100644
> --- a/libavcodec/dfa.c
> +++ b/libavcodec/dfa.c
> @@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t
> *frame, int width, int height
> bitbuf = bytestream2_get_le16u(gb);
> mask = 1;
> }
> - if (frame_end - frame < 2)
> - return AVERROR_INVALIDDATA;
> +
> if (bitbuf & mask) {
> v = bytestream2_get_le16(gb);
> offset = (v & 0x1FFF) << 2;
> @@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t
> *frame, int width, int height
> frame += 2;
> }
> } else if (bitbuf & (mask << 1)) {
> - frame += bytestream2_get_le16(gb) * 2;
> + v = bytestream2_get_le16(gb)*2;
> + if (frame - frame_end < v)
> + return AVERROR_INVALIDDATA;
> + frame += v;
> } else {
> - if (frame_end - frame < width + 2)
> + if (frame_end - frame < width + 3)
> return AVERROR_INVALIDDATA;
> frame[0] = frame[1] =
> frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
> --
LGTM
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
