mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
dfa: Disallow odd width/height and add proper bounds check for DDS1 chunks
DDS1 chunks are decoded in 2x2 blocks, odd chunk width or height is not allowed in that case. Also ensure that the decode buffer is big enough for all blocks being processed. Bug-Id: CVE-2017-9992 CC: libav-stable@libav.org
This commit is contained in:
parent
a14a12ca13
commit
d34a133b78
@ -144,6 +144,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
|
|||||||
int mask = 0x10000, bitbuf = 0;
|
int mask = 0x10000, bitbuf = 0;
|
||||||
int i, v, offset, count, segments;
|
int i, v, offset, count, segments;
|
||||||
|
|
||||||
|
if ((width | height) & 1)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
segments = bytestream2_get_le16(gb);
|
segments = bytestream2_get_le16(gb);
|
||||||
while (segments--) {
|
while (segments--) {
|
||||||
if (bytestream2_get_bytes_left(gb) < 2)
|
if (bytestream2_get_bytes_left(gb) < 2)
|
||||||
@ -171,7 +173,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
|
|||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
frame += v;
|
frame += v;
|
||||||
} else {
|
} else {
|
||||||
if (frame_end - frame < width + 3)
|
if (width < 4 || frame_end - frame < width + 4)
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
frame[0] = frame[1] =
|
frame[0] = frame[1] =
|
||||||
frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
|
frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
|
||||||
|
Loading…
Reference in New Issue
Block a user