[SCM] libav/experimental: mmvideo: check horizontal coordinate too
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Aug 10 16:04:13 UTC 2014
The following commit has been merged in the experimental branch:
commit 70cd3b8e659c3522eea5c16a65d14b8658894a94
Author: Michael Niedermayer <michaelni at gmx.at>
Date: Sun Aug 3 19:24:18 2014 +0100
mmvideo: check horizontal coordinate too
Fixes out of array accesses.
Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara at gmail.com>
Signed-off-by: Anton Khirnov <anton at khirnov.net>
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index abec2e8..d80c832 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -154,6 +154,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
int replace_array = bytestream2_get_byte(&s->gb);
for(j=0; j<8; j++) {
int replace = (replace_array >> (7-j)) & 1;
+ if (x + half_horiz >= s->avctx->width)
+ return AVERROR_INVALIDDATA;
if (replace) {
int color = bytestream2_get_byte(&data_ptr);
s->frame->data[0][y*s->frame->linesize[0] + x] = color;
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list