[FFmpeg-cvslog] avcodec/hnm4video: check offset before subtraction in decode_interframe_v4a()
Michael Niedermayer
git at videolan.org
Mon Feb 3 03:38:34 CET 2014
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Feb 3 03:10:46 2014 +0100| [4d7d9a57825ee7a6394d361b5c5b6f16422b361c] | committer: Michael Niedermayer
avcodec/hnm4video: check offset before subtraction in decode_interframe_v4a()
Fixes out of array read
Fixes: signal_sigsegv_1326a09_1752_cov_245452111_GRTH301.HNS
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d7d9a57825ee7a6394d361b5c5b6f16422b361c
---
libavcodec/hnm4video.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
index bb827df..d8c51d0 100644
--- a/libavcodec/hnm4video.c
+++ b/libavcodec/hnm4video.c
@@ -311,8 +311,13 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
offset = writeoffset;
offset += bytestream2_get_le16(&gb);
- if (delta)
+ if (delta) {
+ if (offset < 0x10000) {
+ av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
+ break;
+ }
offset -= 0x10000;
+ }
if (offset + hnm->width + count >= hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
More information about the ffmpeg-cvslog
mailing list