1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks

DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not
allowed in that case. Also ensure that the decode buffer is big enough
for all blocks being processed.

Bug-Id: CVE-2017-9992
CC: libav-stable@libav.org
This commit is contained in:
Diego Biurrun 2017-08-11 19:15:20 +02:00
parent a14a12ca13
commit d34a133b78

View File

@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
int mask = 0x10000, bitbuf = 0; int mask = 0x10000, bitbuf = 0;
int i, v, offset, count, segments; int i, v, offset, count, segments;
if ((width | height) & 1)
return AVERROR_INVALIDDATA;
segments = bytestream2_get_le16(gb); segments = bytestream2_get_le16(gb);
while (segments--) { while (segments--) {
if (bytestream2_get_bytes_left(gb) < 2) if (bytestream2_get_bytes_left(gb) < 2)
@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
frame += v; frame += v;
} else { } else {
if (frame_end - frame < width + 3) if (width < 4 || frame_end - frame < width + 4)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
frame[0] = frame[1] = frame[0] = frame[1] =
frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame[width] = frame[width + 1] = bytestream2_get_byte(gb);