[SCM] libav/experimental: Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32(). Issue has been reported to me by Gynvael Coldwind
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 17:18:26 UTC 2013
The following commit has been merged in the experimental branch:
commit 742978310101b435c57e7f0adaa8ab6d345d8eb7
Author: Michael Niedermayer <michaelni at gmx.at>
Date: Tue Nov 2 01:19:12 2010 +0000
Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32().
Issue has been reported to me by Gynvael Coldwind
Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
index d3d3601..098e7d8 100644
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -136,6 +136,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
int p1, p2, line=avctx->height - 1, pos=0, i;
uint16_t av_uninit(pix16);
uint32_t av_uninit(pix32);
+ unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
@@ -157,11 +158,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
p1 = *src++;
p2 = *src++;
line -= p2;
- if (line < 0){
+ pos += p1;
+ if (line < 0 || pos >= width){
av_log(avctx, AV_LOG_ERROR, "Skip beyond picture bounds\n");
return -1;
}
- pos += p1;
output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
continue;
}
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list