[FFmpeg-cvslog] avcodec/dxv: Check idx in CHECKPOINT()
Michael Niedermayer
git at videolan.org
Tue Jan 5 02:56:54 CET 2016
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Jan 5 02:28:10 2016 +0100| [eb8a67de75ef6fd043f5749f6448c1874f149783] | committer: Michael Niedermayer
avcodec/dxv: Check idx in CHECKPOINT()
Fixes out of array read
Fixes Ticket5098
Fixes Ticket5099
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb8a67de75ef6fd043f5749f6448c1874f149783
---
libavcodec/dxv.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 4fdfd65..f1ea298 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -105,9 +105,17 @@ static int decompress_texture_thread(AVCodecContext *avctx, void *arg,
break; \
case 2: \
idx = (bytestream2_get_byte(gbc) + 2) * x; \
+ if (idx > pos) { \
+ av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \
+ return AVERROR_INVALIDDATA; \
+ } \
break; \
case 3: \
idx = (bytestream2_get_le16(gbc) + 0x102) * x; \
+ if (idx > pos) { \
+ av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \
+ return AVERROR_INVALIDDATA; \
+ } \
break; \
} \
} while(0)
More information about the ffmpeg-cvslog
mailing list